10 Jan
2012
10 Jan
'12
4:41 p.m.
On Tue, 2012-01-03 at 09:53 -0600, Martin Holste wrote:
Ok, but what about absolute directories? I'm assuming that something as simple as setting program to /etc/passwd will not work by default, but is there anything for users to be aware of?
If you add anything in front of the expanded macro, then you can't escape that, since syslog-ng will refuse to create files that contain '../' or '/..'. There's a new template function $(sanitize) in the 3.4 tree that can help escape the untrusted values, otherwise it is possible to create unwanted files/directories under a tree. -- Bazsi