3 Jan
2012
3 Jan
'12
3:39 p.m.
Martin Holste <mcholste@gmail.com> writes:
This sounds like a significant security hole as well, as we have user input creating files and directories. I can't immediately think of how to do significant damage (assuming most run with non-root accounts) since it won't overwrite existing dirs, but I'm sure someone more crafty could figure out a way to add a .htaccess file to a web directory or something.
syslog-ng will refuse to write to files whose path contains "..", so the worst case is that subdirs can be created (but create_dirs(no) will "help" against that). -- |8]