I'd like to see this patch become the default:
--- ircii-4.4/source/dcc.c~ Thu Dec 25 17:36:09 1997
+++ ircii-4.4/source/dcc.c Sat Apr 18 19:22:43 1998
@@ -940,16 +940,6 @@
return;
}
#endif /* S_IFDER */
- if (scanstr(FileBuf, "/etc/"))
- {
- yell("Send request rejected");
- return;
- }
- if ((int) strlen(FileBuf) >= 7 && 0 == strcmp(FileBuf + strlen(FileBuf)
- 7, "/passwd"))
- {
- yell("Send request rejected");
- return;
- }
filesize = stat_buf.st_size;
Client = dcc_searchlist(FileBuf, user, DCC_FILEOFFER, 1, filename);
if ((Client->file = open(Client->description, O_RDONLY | O_BINARY)) ==
-1)
Yes, what that does is check your /dcc commands to see if they have /etc
or /passwd in them, and if they do, print a message "Send request
rejected".
Pretty much the only reason it's there is so clueless users can't be
tricked into sending people /etc/passwd files.
This makes sense on a large system with lotsa newbies on it.
It does *not* make sense when you're just trying to exchange XF86Config's
or what-have-you over IRC to try to help get something to work for
someone.
My thoughts on this are that large systems without shadow passwords with
shell accounts with ircii installed are:
1. very few and far between.
2. probably not running debian.
3. have hundreds of other security holes because of #2, making this one
irrelevant.
4. have admins who usually wouldn't get debianized source anyway, or if
they did, they'd be clueful enough to "fix" it.
I'd love to hear people's opinions on this.
--
Robert Woodcock - [EMAIL PROTECTED]
All I want is a warm bed and a kind word and unlimited power.
-- Ashleigh Brilliant
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
