Re: wget2 | Further Enhancement of --download-attr (#529)

wget-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | Further Enhancement of --download-attr (#529)

From:	Tim Rühsen
Subject:	Re: wget2 \| Further Enhancement of --download-attr (#529)
Date:	Sat, 11 Jul 2020 21:16:19 +0000



Tim Rühsen commented:


@wtautz In the current implementation, the path is removed on purpose to not 
allow directory escaping which can be used by attackers (malicious 
servers/websites) to place or overwrite arbitrary files.

What you request is an *extremly* dangerous feature - you should do that only 
with sites you fully trust (e.g. your own site).

A possible solution would be to allow on optional argument, like in 
`--download-attr=noabspath` for using pathes (but remove leading / if there) 
and `--download-attr=abspath` to take the path as is (eventually with a leading 
/). `--download-attr=nopath` is the default then.

Currently, my time for FOSS programming is very limited. Hope I can catch up in 
a few weeks/months.

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/529#note_377763863
You're receiving this email because of your account on gitlab.com.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: wget2 | Further Enhancement of --download-attr (#529), Walter Tautz, 2020/07/06
- Re: wget2 | Further Enhancement of --download-attr (#529), Tim Rühsen <=
- Re: wget2 | Further Enhancement of --download-attr (#529), Walter Tautz, 2020/07/11

Prev by Date: Confirmation instructions
Next by Date: Re: wget2 | Further Enhancement of --download-attr (#529)
Previous by thread: Re: wget2 | Further Enhancement of --download-attr (#529)
Next by thread: Re: wget2 | Further Enhancement of --download-attr (#529)
Index(es):
- Date
- Thread