Programmers with network engineering skills

Jimmy Hess mysidia at gmail.com
Fri Mar 16 22:20:00 CDT 2012


On Tue, Mar 13, 2012 at 8:41 AM, Joe Greco <jgreco at ns.sol.net> wrote:
>> > box with a semicolon.
>> Only if you don't properly quote/escape the arguments you are passing.

You're going to run into a big mess when trying to combine the rules
for escaping
e-mail addresses that contain special characters  with the
shell-specifc rules for escaping
when invoking system.

When invoking system() you may need different logic for safe execution
when the user's
shell is  /bin/bash   than when it's  /bin/zsh.

> That's a great theory that's been a disaster in practice, as "properly"
> is difficult and mistakes often turn into exploits.

The disaster in practice is invoking system()  with user provided data
into a shell
that interprets special characters.    The semantics of system() are
not your end user's problem.

It's a similar disaster to attempting to embed a SQL query into an
application, but failing to utilize named
parameters  for  untrusted user inputs  -- again,  the SQL language is
not your end user's problem,
Just because ";"  "--", "/*" or  "DROP"  may  have special meaning to
SQL,  does not mean strings that contain these patterns won't be part
of a legitimate e-mail address.


If you must execute a program to validate an e-mail address from its
parameters, make sure to range check the length,   fork,  and exec(),
preferably after chroot()'ing to an unwritable path and setuid'ing to
an unprivileged GID, UID, and EUID,   after fwapping yourself  for not
passing a file descriptor to the child process in order  to exchange
the e-mail address data,   and as a result of this -- you made
potentially private data available to anyone who happens to enter the
right  'ps' command  and see command line arguments at the moment an
address is being validated.


--
-JH



More information about the NANOG mailing list