[asterisk-dev] New manager action: CreateConfig
Johansson Olle E
oej at edvina.net
Tue Feb 12 10:39:43 CST 2008
12 feb 2008 kl. 17.10 skrev Tzafrir Cohen:
> On Tue, Feb 12, 2008 at 04:16:48PM +0100, Johansson Olle E wrote:
>> What happens if I use an argument of "../rc.conf" or "../passwd" ?
>>
>> I suggest we filter file name arguments for ".." and "/" in the
>> arguments of all these configuration actions.
>
> You assume the user did not run:
>
> System(ln -s / /etc/asterisk/rootdir)
>
> Running Asterisk as root is bad for your health.
Well, I won't disagree. But that's not a good reason for adding new
holes, is it?
/O
More information about the asterisk-dev
mailing list