[syslog-ng] Escape slashes etc in macro variables ($PROGRAM)

[Gergely Nagy]

Martin Holste <mcholste at gmail.com> writes:

> This sounds like a significant security hole as well, as we have user
> input creating files and directories.  I can't immediately think of
> how to do significant damage (assuming most run with non-root
> accounts) since it won't overwrite existing dirs, but I'm sure someone
> more crafty could figure out a way to add a .htaccess file to a web
> directory or something.

syslog-ng will refuse to write to files whose path contains "..", so the
worst case is that subdirs can be created (but create_dirs(no) will
"help" against that).

-- 
|8]