X-Recipient: archive-cygwin@delorie.com
X-Spam-Check-By: sourceware.org
Message-ID: <493692AF.D5B3FA42@dessent.net>
Date: Wed, 03 Dec 2008 06:07:43 -0800
From: Brian Dessent <brian@dessent.net>
MIME-Version: 1.0
To: cygwin@cygwin.com
Subject: Re: Finally managed to create a jailed SFTP server, but how secure?
References: <664060.6380.qm@web34704.mail.mud.yahoo.com>   <933558.98400.qm@web34705.mail.mud.yahoo.com>   <4934527E.2070200@cygwin.com>   <961872.64997.qm@web34701.mail.mud.yahoo.com>   <493568B8.3010308@cygwin.com>   <49376.99112.qm@web34702.mail.mud.yahoo.com>   <20081202231141.GA5449@ednor.casa.cgf.cx>   <451120.45664.qm@web34703.mail.mud.yahoo.com>   <4935DD4B.7050907@cygwin.com>   <690548.2534.qm@web34702.mail.mud.yahoo.com> <af075b00812030245m2b64cae2q4601c63424da611@mail.gmail.com> <49366705.5D2D6371@dessent.net> <940072.24685.qm@web34702.mail.mud.yahoo.com> <49368561.A8EAD4CF@dessent.net> <371457.93288.qm@web34704.mail.mud.yahoo.com> <49368C19.3060705@byu.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Reply-To: cygwin@cygwin.com
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com

Eric Blake wrote:

> That's with /.  What about with \?  The cygwin dll sometimes treats the
> two separators differently, where using \ is more likely to bypass cygwin
> checks.

Don't forget the other variants, like

\\.\c:\foo\bar
\\./c:/foo/bar
\??\c:\foo\bar
\??/c:\foo\bar
\??/c:/foo/bar

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/