>>>>> "Jeff" == Jeff Yoak <[EMAIL PROTECTED]> writes:
Jeff> At 05:11 PM 6/8/01 -0500, Karen Cravens wrote:
>> On 8 Jun 2001, at 14:33, Randal L. Schwartz wrote:
>>
>> > No, because newlines are the delimiters for sh's "read" operator.
>>
>> Is it just me, or does anyone else think newlines in filenames are
>> Evil Incarnate regardless?
Jeff> It's not just you. :-)
But that doesn't matter. If you don't plan for it, someone will
create a path with a newline to DELIBERATELY break your code
and potentially open up a security hole.
Imagine this: suppose I discover that you have
find /tmp -atime +7 -print | xargs rm -f
(or the near equivalent) in your root crontab to run nightly. And
yes, I've seen this exact command in many client's crontabs.
All I have to do as a common user is:
$ mkdir -p "/tmp/foo
/etc"
$ touch "/tmp/foo
/etc/passwd"
and then go away 7 days. Blam... your password file is gone!
You *MUST* allow for a newline in the path if you are writing any kind
of privileged script. And this means *all* CGI that deals with paths,
because CGI essentially grants privileges to off-box strangers that
have activated the form response.
So yes, I take newlines in paths seriously. You can't be an ostrich
about them burying your head in the sand. That's not secure, and you
will be hacked.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
