[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] Re: trustservernames patch
From: |
Jochen Roderburg |
Subject: |
[Bug-wget] Re: trustservernames patch |
Date: |
Sun, 01 Aug 2010 11:17:02 +0200 |
User-agent: |
Dynamic Internet Messaging Program (DIMP) H3 (1.1.4) |
I have been trying out the current development version with the
trustservernames patch and soon found out that this really breaks many
downloads (e.g. most URLs for sourceforge) and most certainly will be
an option that I will set permanently to on with my wget usage.
OTOH I also saw that the patch as such is not yet complete and does
not yet cover all aspects of the underlying problem.
It seems that setting contentdisposition=on (what I also have
permanently in my wget configuration) circumvents the patch. Not only
when a Content-Disposition header is actually used, just the active
option is sufficient for this.
But further thinking shows that actually the whole contentdisposition
feature has the same vulnerability as the redirect case, this is also
a case where a remote server can set the filename which is locally
used by wget.
So I think: to make the patch complete trustservernames=off must also
imply contentdisposition=off.
Or you invent another separate option for the contentdisposition case.
In my own personal wget version I will set all these options to on,
because I usually want the filenames that are suggested from the
server side. I will even set these as defaults in the source, because
setting them in some wgetrc configuration file creates another
backward-compatibility problem with such new options: older program
versions which do not know the options don't run any longer. And I
also want to use those occasionally, for tests or comparisons or when
I want to use some feature which has disappeared in newer versions.
Best regards,
Jochen Roderburg
RRZK
University of Cologne
Robert-Koch-Str. 10 Tel.: +49-221/478-7024
D-50931 Koeln E-Mail: address@hidden
Germany
- [Bug-wget] Re: trustservernames patch,
Jochen Roderburg <=