Directory names from untrusted data

J

Jim Dabell

I'm in the middle of writing a small app for Linux that needs to create
directories that take their names from untrusted data. If possible, I'd
like to preserve special characters rather than switching them with dummy
characters. For instance, using bash, I'd just escape characters with
backslashes when I want to create a directory name with, say, a slash in.

I've been through the manual, Google and Usenet, and I've done a bit of
experimenting, but I can't seem to find a way of doing this in python. The
only thing I can think of is to spawn a bash shell to do it, which I'd
rather not have to do. Does anybody have a better way of doing this?
Also, are there any other things I should watch out for (e.g. excessively
long names)?

Ta,
 
A

A.M. Kuchling

I'm in the middle of writing a small app for Linux that needs to create
directories that take their names from untrusted data. If possible, I'd
like to preserve special characters rather than switching them with dummy

I was once told about a security seminar where the speaker explained there
are two approaches to rules, the American "Everything not forbidden is
permitted" and the Prussian "Everything not explicitly allowed is
forbidden." For security, you really want to go with the Prussian approach
of picking a set of legal characters and discarding anything not in the set,
rather than the American approach of '; and / are forbidden; everything else
is permitted." You might someday find a security hole stemming from allowing
the $ character, at the cost of a break-in; another day you might find
another hole by getting broken into again. It's better to start with a safe
set, and increase the set very cautiously as necessary.

A sneaky approach might be to hex-encode everything; the input filename
'foo' becomes the on-disk filename '666f6f'. Unreadable, but attackers have
no way to create special characters.
characters. For instance, using bash, I'd just escape characters with
backslashes when I want to create a directory name with, say, a slash in.

I don't believe you can do this on Unix systems; the kernel always assumes
that slashes indicate multiple directory levels, so foo\/bar would be a
directory named 'foo\' containing a file named 'bar'.
Also, are there any other things I should watch out for (e.g. excessively
long names)?

'..' in paths; someone could provide a filename of ../../<a bunch more
...'s>/etc/passwd. If you just open the path and write to it (and happen to
be running as root), bang, you've just blown away your /etc/passwd. Long
names will fail after a certain point -- most filesystems seem to have a
256-byte limit -- but that doesn't seem to present a security risk.

--amk
 
A

Albert Hofkamp

I'm in the middle of writing a small app for Linux that needs to create
directories that take their names from untrusted data. If possible, I'd
like to preserve special characters rather than switching them with dummy
characters. For instance, using bash, I'd just escape characters with

Preserving characters supplied by untrusted data sounds like you do
trust your supplier at least a little bit. Depending on how paranoid you
are and how secure you must be, this may be dangerous.
backslashes when I want to create a directory name with, say, a slash in.

I've been through the manual, Google and Usenet, and I've done a bit of
experimenting, but I can't seem to find a way of doing this in python. The

Do what in Python?
Filtering chars or making dirs?
Both can easily be done in Python

Filtering:

safename=''
for kar in untrustedname:
if kar in string.letters:
safename=safename+kar
else:
safename=safename+'_'

Making dir:

os.path.mkdir(safename)


Obviously, the code above is extremely non-secure, you should do some
checking on existance of the directory name, provide an atomic creation
primitive, and set the access rights to something sensible.
only thing I can think of is to spawn a bash shell to do it, which I'd
rather not have to do. Does anybody have a better way of doing this?
Also, are there any other things I should watch out for (e.g. excessively
long names)?

Short answer: Everything, including all things you think you can trust.

Longer answer: Read a few docs about secure programming to get
sufficiently paranoid.



Albert
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,900
Latest member
Nell636132

Latest Threads

Top