Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 4725 - wget should not chmod mirrored symlinks to 0777
wget should not chmod mirrored symlinks to 0777
Status: CLOSED NEXTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: wget (Show other bugs)
6.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-08-26 14:25 EDT by charles
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-08-26 16:32:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description charles 1999-08-26 14:25:06 EDT 
Assume the maintainer of an anonymous ftp site is malicious
toward someone who uses wget to mirror his site.  He could
put in simlinks such as

	a -> ..
	b -> ../..
	c -> ../../..
	d -> ../../../..
	s -> /bin/sh
	etc.

Those will all be listed as having 0777 perms since all
simlinks do.  If wget --mirror, for example, is used to
mirror this ftp site and the wget user is not aware of
the presence of those links (among a bunch of others files),
wget will do ``chmod 0777 l'' on the copy of link l thereby
effectively changing the permission of the pointed-to file,
if the wget user has the right to do so.  This could then be
used by a local user of the system running wget.

I will send a patch for this which I submitted to
bug-wget@gnu.org without receving an answer for 2 months.
Comment 1 Jeff Johnson 1999-08-26 16:32:59 EDT 
Fixed in wget-1.5.3-5. Thanks for the patch.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.