Comment 22 for bug 1546507
Revision history for this message
| Flavio Percoco (flaper87) wrote Re: Regular user can delete any image file | #22 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Mike,
thanks for the new patch. We're getting closer.
Unfortunately, I don't think the check for valid external URI's is good enough. If I create an empty image and set my own location, which doesn't have the image id in it, I'll still be able to exploit this. Should we check in the DB and see if the location is being used?
Stuart, comments?