On Mon, 2008-08-25 at 14:17 +0400, Dmitry E. Oboukhov wrote:
> NW>>> An attacker would be insane to select this example as a
> NW>>> vehicle.
> NW>>
> NW>> Attacker can use many ways (all variants from this list, for ex), one of
> NW>> its can work. Why you think that this variant is not work?
>
On Mon, Aug 25, 2008 at 10:17 PM, Dmitry E. Oboukhov <[EMAIL PROTECTED]> wrote:
> NW> Because it is in the documentation, not the script. Didn't you read the
> NW> reply? It is not a route of attack, it is AN EXAMPLE in the
> NW> documentation!
> This script marked as executable.
> User can start i
NW>>> An attacker would be insane to select this example as a
NW>>> vehicle.
NW>>
NW>> Attacker can use many ways (all variants from this list, for ex), one of
NW>> its can work. Why you think that this variant is not work?
NW> Because it is in the documentation, not the script. Didn't you read t
On Mon, 2008-08-25 at 11:57 +0400, Dmitry E. Oboukhov wrote:
> NW> An attacker would be insane to select this example as a
> NW> vehicle.
>
> Attacker can use many ways (all variants from this list, for ex), one of
> its can work. Why you think that this variant is not work?
Because it is in the
NW> An attacker would be insane to select this example as a
NW> vehicle.
Attacker can use many ways (all variants from this list, for ex), one of
its can work. Why you think that this variant is not work?
--
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006
On Sun, Aug 24, 2008 at 06:44:57PM -0700, Russ Allbery wrote:
> Steve Langasek <[EMAIL PROTECTED]> writes:
> > The example *is* wrong - the example given is never safe to run, because
> > the only way to verify beforehand that /tmp/zenity is not a symlink to
> > something more important is by firs
[Neil Williams]
> $ pilot-qof -x data.xml --invoice-city -t 2006-11-08 | dfxml-invoice - \
> | zenity --text-info --title="2006-11-08" -
>
> 2. Unnecessarily complicated for documentation (the need for '\' is,
> IMHO, an indication that the command is too long).
Not to disagree with your real t
Steve Langasek <[EMAIL PROTECTED]> writes:
> The example *is* wrong - the example given is never safe to run, because
> the only way to verify beforehand that /tmp/zenity is not a symlink to
> something more important is by first explicitly *creating* your file
> funder /tmp (non-destructively), t
In article <[EMAIL PROTECTED]> you wrote:
> Yes, a race condition could happen and yes, there could be all sorts of
> complicated ways of handling temp files and passing back the name of the
> file but examples have to be simple and clear, not obfuscated by
> problems unrelated to the nature of the
On Sun, 2008-08-24 at 13:30 -0700, Steve Langasek wrote:
> On Sun, Aug 24, 2008 at 08:28:32PM +0100, Neil Williams wrote:
> > =head1
> > A more complex example using 'zenity' - a Gnome dialog generator.
>
> > $ pilot-qof -x data.xml --invoice-city -t 2006-11-08 | dfxml-invoice -
> > > /tmp/zenity
On Sun, Aug 24, 2008 at 08:28:32PM +0100, Neil Williams wrote:
> > For example if a script uses in its work a temp file which is created
> > in /tmp directory, then every user can create symlink with the same
> > name in this directory in order to destroy or rewrite some system
> > or user
On Sun, 2008-08-24 at 22:05 +0400, Dmitry E. Oboukhov wrote:
> Package: datafreedom-perl
> Severity: grave
No, that is just plain wrong, sorry.
> Hi, maintainer!
(and I do so hate unnecessary exclamation marks)
> This message about the error concerns a few packages at once. I've
> tested al
12 matches
Mail list logo
