[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] Trivial changes in HSTS
|
From: |
Eli Zaretskii |
|
Subject: |
Re: [Bug-wget] [PATCH] Trivial changes in HSTS |
|
Date: |
Sat, 18 Jun 2016 10:46:31 +0300 |
> From: Gisle Vanem <address@hidden>
> Date: Fri, 17 Jun 2016 22:50:27 +0200
>
> > +static bool
> > +hsts_file_access_valid (const char *filename)
> > +{
> > + struct_stat st;
> > +
> > + if (stat (filename, &st) == -1)
> > + return false;
> > +
> > + return !(st.st_mode & S_IWOTH) && S_ISREG (st.st_mode);
>
> Due to the above patch, the following output on Wget/Windows seems
> a bit paranoid; wget -d https://vortex.data.microsoft.com/collect/v1
> ...
> Reading HSTS entries from c:\Users\Gisle\AppData\Roaming/.wget-hsts
> Will not apply HSTS. The HSTS database must be a regular and
> non-world-writable file.
> ERROR: could not open HSTS store at
> 'c:\Users\Gisle\AppData\Roaming/.wget-hsts'. HSTS will be disabled.
>
> On Windows this file is *not* "world-writeable" AFAICS (and yes, it does
> exists).
> Hence this "paranoia" should be accounted for. I'm not so much into Posix,
> so I'll leave it to you experts to comment & patch.
IMO, this test should be bypassed on Windows. The "world" part in
"world-writeable" is a Unix-centric notion, and its translation into
MS-Windows ACLs is non-trivial (read: "impossible"). (For example,
your "non-world-writeable" file is accessible to certain users and
groups of users on Windows, other than Administrator.) So the sanest
solution for this is simply not to make this test on Windows.