It's not always obvious that an archive shouldn't be trusted -- for example, the breakins at the BSD and Sendmail sites. Trusting directory traversal strings (absolute paths and ../) should require an explicit request on the part of the user. Just because a user 'should' be wary of a trojan archive doesn't mean that they always will be. Andrew Kopp wrote: .... > And to those who extract an un-trusted archive and set the "don't prompt > me" flag, you really need a lesson in 'basic' (very obvious too!) > security practices. -- Stephen Samuel +1(604)876-0426 samuelat_private http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life.
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:23:53 PST