Great Circle Associates Majordomo-Workers
(January 1997)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Possible bug in access_check
From: Jason L Tibbitts III <tibbs @ hpc . uh . edu>
Date: 08 Jan 1997 13:02:44 -0600
To: Dave Wolfe <david_wolfe @ risc . sps . mot . com>
Cc: lou @ metron . com, majordomo-workers @ greatcircle . com (Majordomo developer's mailing list), cwilson @ slurp . neu . sgi . com (Chan Wilson)
In-reply-to: Dave Wolfe's message of Wed, 8 Jan 1997 12:30:41 -0600 (CST)
References: <199701081830.MAA14179@miaow.risc.sps.mot.com>

>>>>> "DW" == Dave Wolfe <dwolfe@risc.sps.mot.com> writes:

DW> My sincere apologies. Rolling back my screen shows comments by Chan on
DW> access_check().

Which doesn't mean that he's responsible; we don't really have an audit
trail for the code.

DW> Not your problem, but basically, 'restrict_post' is used for two
DW> similar duties but handled differently for each.

I see that now.  It's kind of gross, but it does make a bit of sense as the
easiest way out.

DW> Do we break compatibility and stop accepting absolute paths in
DW> check_sender?

While it's a sane action, I don't think it will win any friends.

DW> Or expand the problematical use of absolute paths in
DW> access_check()?

I suppose that for continuing 1.94.x releases it only makes sense to let
people keep using absolute paths; too many people would complain if you
didn't.  Some deprecation warnings in big letters all over the
documentation might not hurt, though.  What's important is that if you
can't get rid of absolute pathnames, you at least need to make them work
consistently.  Perhaps there should be a config variable,
$allow_unsafe_pathnames or somesuch that lets the installer control this.

 - J<


Follow-Ups:
References:
Indexed By Date Previous: Re: Possible bug in access_check
From: Dave Wolfe <dwolfe@risc.sps.mot.com>
Next: Re: Possible bug in access_check
From: Jim Reisert <jjr@databook.com>
Indexed By Thread Previous: Re: Possible bug in access_check
From: Dave Wolfe <dwolfe@risc.sps.mot.com>
Next: Re: Possible bug in access_check
From: Jim Reisert <jjr@databook.com>

Google
 
Search Internet Search www.greatcircle.com