In message <19990120165948.A14518at_private>, Aleph One writes: > >I tought we've seen the last of these Windows file aliases vulnerabilities. >Guess I was wrong. Incredible the amount of cruft the Windows file name >parser will take. Wonder what other wonderful aliases are waiting to be >discovered. I'm sure there are others; determing access permissions by application-level parsing of file names is a fundamentally flawed notion. I've watched it fail for at least 20 years, in systems at least as old as uucp through today's Web servers. And it's not just Windows, though the complexity of its syntax compared to that of Unix makes life much tougher. And think of all of the opportunities for race conditions with this sort of parsing, especially with complex types.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:29 PDT