It's not always obvious that an archive shouldn't be trusted -- for example, the breakins at the BSD and Sendmail sites. Trusting directory traversal strings (absolute paths and ../) should require an explicit request on the part of the user. Just because a user 'should' be wary of a trojan archive doesn't mean that they always will be. Andrew Kopp wrote: ....
And to those who extract an un-trusted archive and set the "don't prompt me" flag, you really need a lesson in 'basic' (very obvious too!) security practices.
-- Stephen Samuel +1(604)876-0426 samuel@bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life.
