('binary' encoding is not supported, stored as-is) In-Reply-To: <20020709183903.GA1407at_private> >Icecast allows for remote probing of the underlying >filesystem structure. (on a side note, this can also be used to list >files with a .mp3 extension anywhere on the system. send_file() does do >traversal checking.) Just an FYI: maybe Icecast has further info about this, but I think it might be a good idea to 'jail' Icecast if possible. A little while back I wrote a paper describing how to do that specifically with Icecast. You'll have to search for 'icecast' in the following page to get to the walkthrough. http://www.palecrow.com/chroot-jail-paper.html If they haven't already, I'd like it if Icecast developers would incorporate the ability to jail the server during the install, as a further protection against bad inputs and file snooping. Thanks! Matt Borland
This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 13:54:15 PDT