File extension not santized
I have discovered that the file extension received from the server to store
temporary the report and open it is not correctly sanitized.
It means that a malicious server could send as result of a report and extension
that could contain filesystem path separator. So it can force the client to
write any files on the client host with the right of the user.
Here is a patch that fixes the issue.
I don't know if it deserves the label of security fixes or if it should follow
the normal path as it requires to connect to a malicious server.
Files
Download | Creator | Timestamp | Type |
---|---|---|---|
patch | @ced | 2013-10-27 14:28:56.658000 UTC | text/plain |
news.patch | @ced | 2013-10-31 21:58:23.312000 UTC | text/plain |
news.patch.diff | @mbehrle | 2013-11-01 19:03:48.796000 UTC | text/plain |