[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: C-isms: \0 bytes & Lua's stdlib (Re: [ANN] Lua 5.3.4 (rc3) now available)
- From: Solra Bizna <solra@...>
- Date: Fri, 27 Jan 2017 12:24:22 -0700
-- Part of a hypothetical messaging server
local function file_exists(path)
local f = io.open(path,"r")
if f then f:close() return true
else return false
end
end
local mailbox_name = read_string_from_socket(sock)..".mbox"
if file_exists(mailbox_name) then
-- This mailbox already exists, so it's safe to write to it.
-- (Any file on the filesystem that ends with `.mbox` can be
-- considered a valid mailbox. This isn't a real security risk.
local f = io.open(mailbox_name,"a")
f:write("--- Message from ", get_sender_name_from_socket(sock),
" ---\n", read_string_from_socket(sock), "\n")
f:close()
else
terminate_connection_with_error(sock, "Unknown receiver")
end
-- (end of code section)
The above code openly contains a security problem that could rightly
be considered unimportant. However, what happens if
read_string_from_socket is implemented in a way that allows NUL bytes
in the returned string?
And what happens if I send a message to someone named "/etc/passwd\0"?
A message whose contents are the single line "scriptkiddie:...crypted
password...:1337:1337:,,,:/home:/bin/bash"?
In my opinion, the IO functions should throw an error any time a file
path string contains an embedded NUL. Other functions are less
critical.
- References:
- [ANN] Lua 5.3.4 (rc3) now available, Luiz Henrique de Figueiredo
- Re: [ANN] Lua 5.3.4 (rc3) now available, Marc Balmer
- Re: [ANN] Lua 5.3.4 (rc3) now available, Dirk Laurie
- Re: [ANN] Lua 5.3.4 (rc3) now available, Luiz Henrique de Figueiredo
- Re: [ANN] Lua 5.3.4 (rc3) now available, Rena
- Re: [ANN] Lua 5.3.4 (rc3) now available, Daurnimator
- Re: [ANN] Lua 5.3.4 (rc3) now available, Dirk Laurie
- Re: [ANN] Lua 5.3.4 (rc3) now available, nobody
- C-isms: \0 bytes & Lua's stdlib (Re: [ANN] Lua 5.3.4 (rc3) now available), nobody
- Re: C-isms: \0 bytes & Lua's stdlib (Re: [ANN] Lua 5.3.4 (rc3) now available), Dirk Laurie
- Re: C-isms: \0 bytes & Lua's stdlib (Re: [ANN] Lua 5.3.4 (rc3) now available), Adrian Perez de Castro
- Re: C-isms: \0 bytes & Lua's stdlib (Re: [ANN] Lua 5.3.4 (rc3) now available), szbnwer@<a href="/cgi-bin/echo.cgi?gmail.com">...</a>