Re: [chip@xxxxxxxxxx: Bug#206476: Too many characters are considered 'bad' in extracted binaries]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Tue, 7 Oct 2003, Chip Salzenberg wrote:

> According to Booker Bense:
> > if it can be interpreted by the shell it should not be in a filename
> > that you download over the internet.  The BADCHARS list was created
> > from experience with the kind of exploits common when trn was under
> > active development [...]
> But modern shells didn't exist then.  Shall I enumerate the
> punctuation marks that are *not* metacharacters to zsh and/or bash?
> It's a short list.  Conversely, modern shells have tab-completion that
> automatically uses quotes and backslashes to turn any filename safe.
> The only untenable situation seems to be the status quo.
> Failing a consensus (which seems distant), perhaps BADCHARS could be
> made a configuration item?  One more of those couldn't hurt.

- I don't much care as I never download files via trn, I don't
buy the argument about "modern shells". Shells and the rules for
quoting metachars are the same then as now. The only difference
is that the shell does more of it for you by default now. Also,
the shell that's running the system call on most unix boxes is
likely a stripped down /bin/sh which is not going to do the fancy
quoting for you. If you can absolutely guarantee that these files
will never be blindly put into a system call, then maybe what
you suggest is okay. It's seems like it'd be fairly trivial
to come up with an exploit using externel viewers and MIME.

- I've been looking for an excuse to finally sit down and
remap my newsreading finger set to GNUS, maybe this is it.

_ Booker C. Bense

This email is sponsored by: Giveback Program. hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here:

[Index of Archives]     [Photo]     [Yosemite]     [Epson Inkjet]     [Mhonarc]     [Nntpcache]

  Powered by Linux