473,326 Members | 2,182 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Directory names from untrusted data


I'm in the middle of writing a small app for Linux that needs to create
directories that take their names from untrusted data. If possible, I'd
like to preserve special characters rather than switching them with dummy
characters. For instance, using bash, I'd just escape characters with
backslashes when I want to create a directory name with, say, a slash in.

I've been through the manual, Google and Usenet, and I've done a bit of
experimenting, but I can't seem to find a way of doing this in python. The
only thing I can think of is to spawn a bash shell to do it, which I'd
rather not have to do. Does anybody have a better way of doing this?
Also, are there any other things I should watch out for (e.g. excessively
long names)?

Ta,

--
Jim Dabell

Jul 18 '05 #1
2 1904
On Sat, 13 Sep 2003 16:08:52 +0100,
Jim Dabell <ji********@jimdabell.com> wrote:
I'm in the middle of writing a small app for Linux that needs to create
directories that take their names from untrusted data. If possible, I'd
like to preserve special characters rather than switching them with dummy
I was once told about a security seminar where the speaker explained there
are two approaches to rules, the American "Everything not forbidden is
permitted" and the Prussian "Everything not explicitly allowed is
forbidden." For security, you really want to go with the Prussian approach
of picking a set of legal characters and discarding anything not in the set,
rather than the American approach of '; and / are forbidden; everything else
is permitted." You might someday find a security hole stemming from allowing
the $ character, at the cost of a break-in; another day you might find
another hole by getting broken into again. It's better to start with a safe
set, and increase the set very cautiously as necessary.

A sneaky approach might be to hex-encode everything; the input filename
'foo' becomes the on-disk filename '666f6f'. Unreadable, but attackers have
no way to create special characters.
characters. For instance, using bash, I'd just escape characters with
backslashes when I want to create a directory name with, say, a slash in.
I don't believe you can do this on Unix systems; the kernel always assumes
that slashes indicate multiple directory levels, so foo\/bar would be a
directory named 'foo\' containing a file named 'bar'.
Also, are there any other things I should watch out for (e.g. excessively
long names)?


'..' in paths; someone could provide a filename of ../../<a bunch more
...'s>/etc/passwd. If you just open the path and write to it (and happen to
be running as root), bang, you've just blown away your /etc/passwd. Long
names will fail after a certain point -- most filesystems seem to have a
256-byte limit -- but that doesn't seem to present a security risk.

--amk
Jul 18 '05 #2
On Sat, 13 Sep 2003 16:08:52 +0100, Jim Dabell <ji********@jimdabell.com> wrote:

I'm in the middle of writing a small app for Linux that needs to create
directories that take their names from untrusted data. If possible, I'd
like to preserve special characters rather than switching them with dummy
characters. For instance, using bash, I'd just escape characters with
Preserving characters supplied by untrusted data sounds like you do
trust your supplier at least a little bit. Depending on how paranoid you
are and how secure you must be, this may be dangerous.
backslashes when I want to create a directory name with, say, a slash in.

I've been through the manual, Google and Usenet, and I've done a bit of
experimenting, but I can't seem to find a way of doing this in python. The
Do what in Python?
Filtering chars or making dirs?
Both can easily be done in Python

Filtering:

safename=''
for kar in untrustedname:
if kar in string.letters:
safename=safename+kar
else:
safename=safename+'_'

Making dir:

os.path.mkdir(safename)
Obviously, the code above is extremely non-secure, you should do some
checking on existance of the directory name, provide an atomic creation
primitive, and set the access rights to something sensible.
only thing I can think of is to spawn a bash shell to do it, which I'd
rather not have to do. Does anybody have a better way of doing this?
Also, are there any other things I should watch out for (e.g. excessively
long names)?


Short answer: Everything, including all things you think you can trust.

Longer answer: Read a few docs about secure programming to get
sufficiently paranoid.

Albert
--
Unlike popular belief, the .doc format is not an open publically available format.
Jul 18 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Mike Zupan | last post by:
I have a list that includes files and directories ie: list = I want to sort it so it looks like this I'm just wondering if there is an easy way to do this
9
by: Jim Washington | last post by:
I'm still working on yet another parser for JSON (http://json.org). It's called minjson, and it's tolerant on input, strict on output, and pretty fast. The only problem is, it uses eval(). It's...
1
by: Matt Leslie | last post by:
Hi, I am trying to install python 2.4.1 on a windows XP machine. Whether I choose to install 'for me' or 'for all users, and no matter where I select as the root directory, the installer always...
0
by: Jeff Reed | last post by:
I am experiencing the the problem outlined the below. Unfortunately, I am using WinXP and I not sure if I can apply the solution due to lack of security control Any feed back would be apreciated ...
2
by: Antonio-F100 | last post by:
Hello, I need help creating the code for a macro button on a form that will open a file directory with windows explorer. I have about 500 directories with very long names and only want to...
0
by: Ben | last post by:
Hello, I've been developing apps in Delphi for years and have just started writing my first big project in c# + ms .net and have some questions about security and untrusted code. I've got an...
1
by: dkmarni | last post by:
Hi, I am trying to do this perl script, but not able to complete it successfully. Here is the description what the script has to do.. Accept two and only two command line arguments. Again,...
8
by: theCancerus | last post by:
Hi All, I am not sure if this is the right place to ask this question but i am very sure you may have faced this problem, i have already found some post related to this but not the answer i am...
2
by: Andrey Fedorov | last post by:
Is the scope of a closure accessible after it's been created? Is it safe against XSS to use closures to store "private" auth tokens? In particular, in... ....can untrusted code access...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.