Re: NNCP path traversal attack.

public inbox for nncp-devel@lists.stargrave.org
Atom feed

From: Eugene Medvedev <rn3aoh.g@gmail•com>
To: John Goerzen <jgoerzen@complete•org>
Cc: nncp-devel@lists.cypherpunks.su
Subject: Re: NNCP path traversal attack.
Date: Fri, 19 Sep 2025 15:11:42 +0300	[thread overview]
Message-ID: <CAO-d-4o+rLNckgcXQb1o1GZNpNm9-fw5ZiqFk6sdJHyruRZ_eg@mail.gmail.com> (raw)
In-Reply-To: <87v7leira6.fsf@complete.org>

On Fri, 19 Sept 2025 at 15:02, John Goerzen <jgoerzen@complete•org> wrote:

> Question: do you believe there is also an absolute path (path beginning
> with / ) weakness?  It looks like your patch would account for that also
> though.

The code explicitly checked for non-relative path in case of both freq
and file even before my patch, so fortunately that wasn't a concern.

-- 
Eugene Medvedev

next prev parent reply	other threads:[~2025-09-19 12:12 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-19  4:46 NNCP path traversal attack Eugene Medvedev
2025-09-19  6:28 ` Jonathan Lane
2025-09-19  6:43   ` Eugene Medvedev
2025-09-19 12:02 ` John Goerzen
2025-09-19 12:11   ` Eugene Medvedev [this message]
2025-09-19 12:04 ` John Goerzen
2025-09-19 12:31   ` Eugene Medvedev
2025-09-19 13:25 ` Sergey Matveev
2025-09-19 13:30   ` Eugene Medvedev