|Summary:||wget should not chmod mirrored symlinks to 0777|
|Product:||[Retired] Red Hat Linux||Reporter:||charles|
|Component:||wget||Assignee:||David Lawrence <dkl>|
|Status:||CLOSED NEXTRELEASE||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||1999-08-26 20:32:22 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description charles 1999-08-26 18:25:06 UTC
Assume the maintainer of an anonymous ftp site is malicious toward someone who uses wget to mirror his site. He could put in simlinks such as a -> .. b -> ../.. c -> ../../.. d -> ../../../.. s -> /bin/sh etc. Those will all be listed as having 0777 perms since all simlinks do. If wget --mirror, for example, is used to mirror this ftp site and the wget user is not aware of the presence of those links (among a bunch of others files), wget will do ``chmod 0777 l'' on the copy of link l thereby effectively changing the permission of the pointed-to file, if the wget user has the right to do so. This could then be used by a local user of the system running wget. I will send a patch for this which I submitted to email@example.com without receving an answer for 2 months.
Comment 1 Jeff Johnson 1999-08-26 20:32:59 UTC
Fixed in wget-1.5.3-5. Thanks for the patch.