Directory names from untrusted data

Discussion in 'Python' started by Jim Dabell, Sep 13, 2003.

  1. Jim Dabell

    Jim Dabell Guest

    I'm in the middle of writing a small app for Linux that needs to create
    directories that take their names from untrusted data. If possible, I'd
    like to preserve special characters rather than switching them with dummy
    characters. For instance, using bash, I'd just escape characters with
    backslashes when I want to create a directory name with, say, a slash in.

    I've been through the manual, Google and Usenet, and I've done a bit of
    experimenting, but I can't seem to find a way of doing this in python. The
    only thing I can think of is to spawn a bash shell to do it, which I'd
    rather not have to do. Does anybody have a better way of doing this?
    Also, are there any other things I should watch out for (e.g. excessively
    long names)?

    Ta,

    --
    Jim Dabell
    Jim Dabell, Sep 13, 2003
    #1
    1. Advertising

  2. On Sat, 13 Sep 2003 16:08:52 +0100,
    Jim Dabell <> wrote:
    > I'm in the middle of writing a small app for Linux that needs to create
    > directories that take their names from untrusted data. If possible, I'd
    > like to preserve special characters rather than switching them with dummy


    I was once told about a security seminar where the speaker explained there
    are two approaches to rules, the American "Everything not forbidden is
    permitted" and the Prussian "Everything not explicitly allowed is
    forbidden." For security, you really want to go with the Prussian approach
    of picking a set of legal characters and discarding anything not in the set,
    rather than the American approach of '; and / are forbidden; everything else
    is permitted." You might someday find a security hole stemming from allowing
    the $ character, at the cost of a break-in; another day you might find
    another hole by getting broken into again. It's better to start with a safe
    set, and increase the set very cautiously as necessary.

    A sneaky approach might be to hex-encode everything; the input filename
    'foo' becomes the on-disk filename '666f6f'. Unreadable, but attackers have
    no way to create special characters.

    > characters. For instance, using bash, I'd just escape characters with
    > backslashes when I want to create a directory name with, say, a slash in.


    I don't believe you can do this on Unix systems; the kernel always assumes
    that slashes indicate multiple directory levels, so foo\/bar would be a
    directory named 'foo\' containing a file named 'bar'.

    > Also, are there any other things I should watch out for (e.g. excessively
    > long names)?


    '..' in paths; someone could provide a filename of ../../<a bunch more
    ...'s>/etc/passwd. If you just open the path and write to it (and happen to
    be running as root), bang, you've just blown away your /etc/passwd. Long
    names will fail after a certain point -- most filesystems seem to have a
    256-byte limit -- but that doesn't seem to present a security risk.

    --amk
    A.M. Kuchling, Sep 14, 2003
    #2
    1. Advertising

  3. On Sat, 13 Sep 2003 16:08:52 +0100, Jim Dabell <> wrote:
    >
    > I'm in the middle of writing a small app for Linux that needs to create
    > directories that take their names from untrusted data. If possible, I'd
    > like to preserve special characters rather than switching them with dummy
    > characters. For instance, using bash, I'd just escape characters with


    Preserving characters supplied by untrusted data sounds like you do
    trust your supplier at least a little bit. Depending on how paranoid you
    are and how secure you must be, this may be dangerous.

    > backslashes when I want to create a directory name with, say, a slash in.
    >
    > I've been through the manual, Google and Usenet, and I've done a bit of
    > experimenting, but I can't seem to find a way of doing this in python. The


    Do what in Python?
    Filtering chars or making dirs?
    Both can easily be done in Python

    Filtering:

    safename=''
    for kar in untrustedname:
    if kar in string.letters:
    safename=safename+kar
    else:
    safename=safename+'_'

    Making dir:

    os.path.mkdir(safename)


    Obviously, the code above is extremely non-secure, you should do some
    checking on existance of the directory name, provide an atomic creation
    primitive, and set the access rights to something sensible.

    > only thing I can think of is to spawn a bash shell to do it, which I'd
    > rather not have to do. Does anybody have a better way of doing this?
    > Also, are there any other things I should watch out for (e.g. excessively
    > long names)?


    Short answer: Everything, including all things you think you can trust.

    Longer answer: Read a few docs about secure programming to get
    sufficiently paranoid.



    Albert
    --
    Unlike popular belief, the .doc format is not an open publically available format.
    Albert Hofkamp, Sep 16, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Logu

    Re;Untrusted Webserver

    Logu, Jul 23, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    417
  2. Mark Stokes
    Replies:
    0
    Views:
    306
    Mark Stokes
    Apr 15, 2004
  3. Jakekeke
    Replies:
    3
    Views:
    6,386
    Sebastian Hentschel
    Jan 18, 2005
  4. fBechmann
    Replies:
    0
    Views:
    386
    fBechmann
    Jun 10, 2004
  5. Jim Washington

    Sanitizing untrusted code for eval()

    Jim Washington, Aug 22, 2005, in forum: Python
    Replies:
    9
    Views:
    476
    Alan Kennedy
    Aug 23, 2005
Loading...

Share This Page