Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Python (http://www.velocityreviews.com/forums/f43-python.html)
-   -   Directory names from untrusted data (http://www.velocityreviews.com/forums/t322429-directory-names-from-untrusted-data.html)

Jim Dabell 09-13-2003 03:08 PM

Directory names from untrusted data
 

I'm in the middle of writing a small app for Linux that needs to create
directories that take their names from untrusted data. If possible, I'd
like to preserve special characters rather than switching them with dummy
characters. For instance, using bash, I'd just escape characters with
backslashes when I want to create a directory name with, say, a slash in.

I've been through the manual, Google and Usenet, and I've done a bit of
experimenting, but I can't seem to find a way of doing this in python. The
only thing I can think of is to spawn a bash shell to do it, which I'd
rather not have to do. Does anybody have a better way of doing this?
Also, are there any other things I should watch out for (e.g. excessively
long names)?

Ta,

--
Jim Dabell


A.M. Kuchling 09-14-2003 12:35 AM

Re: Directory names from untrusted data
 
On Sat, 13 Sep 2003 16:08:52 +0100,
Jim Dabell <jim-usenet@jimdabell.com> wrote:
> I'm in the middle of writing a small app for Linux that needs to create
> directories that take their names from untrusted data. If possible, I'd
> like to preserve special characters rather than switching them with dummy


I was once told about a security seminar where the speaker explained there
are two approaches to rules, the American "Everything not forbidden is
permitted" and the Prussian "Everything not explicitly allowed is
forbidden." For security, you really want to go with the Prussian approach
of picking a set of legal characters and discarding anything not in the set,
rather than the American approach of '; and / are forbidden; everything else
is permitted." You might someday find a security hole stemming from allowing
the $ character, at the cost of a break-in; another day you might find
another hole by getting broken into again. It's better to start with a safe
set, and increase the set very cautiously as necessary.

A sneaky approach might be to hex-encode everything; the input filename
'foo' becomes the on-disk filename '666f6f'. Unreadable, but attackers have
no way to create special characters.

> characters. For instance, using bash, I'd just escape characters with
> backslashes when I want to create a directory name with, say, a slash in.


I don't believe you can do this on Unix systems; the kernel always assumes
that slashes indicate multiple directory levels, so foo\/bar would be a
directory named 'foo\' containing a file named 'bar'.

> Also, are there any other things I should watch out for (e.g. excessively
> long names)?


'..' in paths; someone could provide a filename of ../../<a bunch more
...'s>/etc/passwd. If you just open the path and write to it (and happen to
be running as root), bang, you've just blown away your /etc/passwd. Long
names will fail after a certain point -- most filesystems seem to have a
256-byte limit -- but that doesn't seem to present a security risk.

--amk

Albert Hofkamp 09-16-2003 01:17 PM

Re: Directory names from untrusted data
 
On Sat, 13 Sep 2003 16:08:52 +0100, Jim Dabell <jim-usenet@jimdabell.com> wrote:
>
> I'm in the middle of writing a small app for Linux that needs to create
> directories that take their names from untrusted data. If possible, I'd
> like to preserve special characters rather than switching them with dummy
> characters. For instance, using bash, I'd just escape characters with


Preserving characters supplied by untrusted data sounds like you do
trust your supplier at least a little bit. Depending on how paranoid you
are and how secure you must be, this may be dangerous.

> backslashes when I want to create a directory name with, say, a slash in.
>
> I've been through the manual, Google and Usenet, and I've done a bit of
> experimenting, but I can't seem to find a way of doing this in python. The


Do what in Python?
Filtering chars or making dirs?
Both can easily be done in Python

Filtering:

safename=''
for kar in untrustedname:
if kar in string.letters:
safename=safename+kar
else:
safename=safename+'_'

Making dir:

os.path.mkdir(safename)


Obviously, the code above is extremely non-secure, you should do some
checking on existance of the directory name, provide an atomic creation
primitive, and set the access rights to something sensible.

> only thing I can think of is to spawn a bash shell to do it, which I'd
> rather not have to do. Does anybody have a better way of doing this?
> Also, are there any other things I should watch out for (e.g. excessively
> long names)?


Short answer: Everything, including all things you think you can trust.

Longer answer: Read a few docs about secure programming to get
sufficiently paranoid.



Albert
--
Unlike popular belief, the .doc format is not an open publically available format.


All times are GMT. The time now is 05:18 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.