Date: Tue, 28 Nov 2017 21:05:28 -0500 From: Michael Orlitzky <michael@...itzky.com> To: oss-security@...ts.openwall.com Subject: Re: Re: Security risk of server side text editing ... On 11/28/2017 08:19 AM, Bram Moolenaar wrote: > > This is a problem with the configuration of the web server. It should > not publish files it doesn't know about. The problem also happens for > any other file manipulation, e.g. "cp file.php file.php.orig" if you > want to make some temporary changes. A .orig and .rej file may also > appear when applying a patch. The main difference in my mind is that when you "cp" a file, you expect it to create a new file. Likewise with patch it tells you that the rejects were saved in a new file. Editing a file in-place should not create *another* file in the current directory with a different name/suffix. I realize that's subjective, but a lot of (even long time) users will tell you that no way in hell did they expect that to happen. (What's the argument against using a subdirectory of $HOME to store these temporary files?)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ