Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Nov 2017 21:05:28 -0500
From: Michael Orlitzky <michael@...itzky.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Security risk of server side text editing ...

On 11/28/2017 08:19 AM, Bram Moolenaar wrote:
> 
> This is a problem with the configuration of the web server.  It should
> not publish files it doesn't know about.  The problem also happens for
> any other file manipulation, e.g. "cp file.php file.php.orig" if you
> want to make some temporary changes.  A .orig and .rej file may also
> appear when applying a patch.

The main difference in my mind is that when you "cp" a file, you expect
it to create a new file. Likewise with patch it tells you that the
rejects were saved in a new file.

Editing a file in-place should not create *another* file in the current
directory with a different name/suffix. I realize that's subjective, but
a lot of (even long time) users will tell you that no way in hell did
they expect that to happen. (What's the argument against using a
subdirectory of $HOME to store these temporary files?)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ