[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget2 | Further Enhancement of --download-attr (#529)
From: |
Tim Rühsen |
Subject: |
Re: wget2 | Further Enhancement of --download-attr (#529) |
Date: |
Sat, 11 Jul 2020 21:16:19 +0000 |
Tim Rühsen commented:
@wtautz In the current implementation, the path is removed on purpose to not
allow directory escaping which can be used by attackers (malicious
servers/websites) to place or overwrite arbitrary files.
What you request is an *extremly* dangerous feature - you should do that only
with sites you fully trust (e.g. your own site).
A possible solution would be to allow on optional argument, like in
`--download-attr=noabspath` for using pathes (but remove leading / if there)
and `--download-attr=abspath` to take the path as is (eventually with a leading
/). `--download-attr=nopath` is the default then.
Currently, my time for FOSS programming is very limited. Hope I can catch up in
a few weeks/months.
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/issues/529#note_377763863
You're receiving this email because of your account on gitlab.com.