Re: Apply patch for CVE-2007-0822

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5/10/07, Kay Sievers <kay.sievers@xxxxxxxx> wrote:

On 5/10/07, Karel Zak <kzak@xxxxxxxxxx> wrote:
> On Thu, May 10, 2007 at 12:06:27PM +0200, Matthias Koenig wrote:
> > There *are* of course issues with volume_id, which needs to be discussed:
> > 1. udev creates label symlinks by default in /dev/disk/by-label/
> > However the name of these links are not the label itself, but a safe label,
> > which is derived by the rules:
> > - '/' are skipped
> > - multiple spaces are converted to a underscore '_'
> > This will lead to problems when we have two volumes with label, e.g. say:
> > foobar and
> > foo/bar
> > I think this is a point where blkid is smarter in detecting the ambiguity.
> >
> > 2. Device-by-label lookup is done by following the symlink in
> > /dev/disk/by-label
> > You will have to know the safe label, not the real label.
> > When we want to do a label-by-device lookup, volume_id only provides
> > the label (not the safe label). AFAIK volume_id does not export the
> > way it derives the safe label. But this is important when we want to compare
>
>  Well, you can export the replace_untrusted_chars() function, but this
>  is not solution, because
>
>  replace_untrusted_chars("fooXbar") == replace_untrusted_chars("foo_bar)
>
>  if the 'X' is a unsafe character.
>
>  The concept is wrong, because you can't convert a "safe label" back
>  to the "raw label". The correct solution is escape (hex, oct, ...)
>  unsafe chars rather than remove it. So... /dev/disk/by-raw-label.
>  Kay?

Right, that sounds much nicer to encode it.


Karel,
how about using url-encoding style strings for the label-links? So the
plain ascii text labels would still look the same, but slashes and
other control chars are safely escaped.

I could export that encoding-function from libvolume_id, and also let
udev create these links in /dev/disk/by-label/. That way, a label:
 /home/foo/bar
would create:
 /dev/disk/by-label/%2fhome%2ffoo%2fbar
and the device could safely be looked up there with LABEL=.

How does that sound?

Thanks,
Kay
-
To unsubscribe from this list: send the line "unsubscribe util-linux-ng" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux