Programmers with network engineering skills
Jimmy Hess
mysidia at gmail.com
Sat Mar 17 03:20:00 UTC 2012
On Tue, Mar 13, 2012 at 8:41 AM, Joe Greco <jgreco at ns.sol.net> wrote:
>> > box with a semicolon.
>> Only if you don't properly quote/escape the arguments you are passing.
You're going to run into a big mess when trying to combine the rules
for escaping
e-mail addresses that contain special characters with the
shell-specifc rules for escaping
when invoking system.
When invoking system() you may need different logic for safe execution
when the user's
shell is /bin/bash than when it's /bin/zsh.
> That's a great theory that's been a disaster in practice, as "properly"
> is difficult and mistakes often turn into exploits.
The disaster in practice is invoking system() with user provided data
into a shell
that interprets special characters. The semantics of system() are
not your end user's problem.
It's a similar disaster to attempting to embed a SQL query into an
application, but failing to utilize named
parameters for untrusted user inputs -- again, the SQL language is
not your end user's problem,
Just because ";" "--", "/*" or "DROP" may have special meaning to
SQL, does not mean strings that contain these patterns won't be part
of a legitimate e-mail address.
If you must execute a program to validate an e-mail address from its
parameters, make sure to range check the length, fork, and exec(),
preferably after chroot()'ing to an unwritable path and setuid'ing to
an unprivileged GID, UID, and EUID, after fwapping yourself for not
passing a file descriptor to the child process in order to exchange
the e-mail address data, and as a result of this -- you made
potentially private data available to anyone who happens to enter the
right 'ps' command and see command line arguments at the moment an
address is being validated.
--
-JH
More information about the NANOG
mailing list