Re: [Ids-devel] Users' suggestions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

"Anthony A. D. Talltree" <aa...@ta...> writes:

> >you using IDS for, where people wouldn't already have the ability to
> >upload arbitrary files by other means?  Also, whose security is
> >compromised by this?
> 
> Imagine a zip file that contains ../index.cgi, which itself contains
> 
> #!/bin/sh
> rm -rf /usr/local/apache
> 
> or such, in the default case where IDS isn't running under suexec.

Ah, so you were imagining opening the zipfile on the server, instead
of simply having a zip file available for download, the way mp3 files
are.  I misunderstood.

In that case I would think that something could be done with the
File::Archive module (Or the Archive::Zip module) to limit the
possible damage a user could cause.  This should probably be an
optional add-on, as I'd hate to introduce additional prerequisites for
ids.