[svn] Fix for FTP directory traversal vulnerability (at least for Unix).

[wget] / src / ChangeLog

diff --git a/src/ChangeLog b/src/ChangeLog
index 13436c668daebecad796802d4c64709cad309be3..4dcc6d62014aace36d421b1a70671f1233d54958 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,15 @@
+2003-01-11  Ian Abbott <abbotti@mev.co.uk>
+
+       * ftp.c (ftp_retrieve_glob): Reject insecure filenames as determined
+       by calling new function has_insecure_name_p.  This is based on a
+       patch by Red Hat.
+
+       * fnmatch.c (has_insecure_name_p): New function: returns non-zero
+       if filename starts with `/' or contains `../' and is therefore
+       considered insecure.
+
+       * fnmatch.h: Declare has_insecure_name_p().
+
 2002-08-03  Hrvoje Niksic  <hniksic@xemacs.org>
 
        * init.c (cmd_file): Allocate RESULT correctly.