lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


-- Part of a hypothetical messaging server
local function file_exists(path)
   local f = io.open(path,"r")
   if f then f:close() return true
   else return false
   end
end
local mailbox_name = read_string_from_socket(sock)..".mbox"
if file_exists(mailbox_name) then
   -- This mailbox already exists, so it's safe to write to it.
   -- (Any file on the filesystem that ends with `.mbox` can be
   -- considered a valid mailbox. This isn't a real security risk.
   local f = io.open(mailbox_name,"a")
   f:write("--- Message from ", get_sender_name_from_socket(sock),
           " ---\n", read_string_from_socket(sock), "\n")
   f:close()
else
   terminate_connection_with_error(sock, "Unknown receiver")
end
-- (end of code section)

The above code openly contains a security problem that could rightly
be considered unimportant. However, what happens if
read_string_from_socket is implemented in a way that allows NUL bytes
in the returned string?

And what happens if I send a message to someone named "/etc/passwd\0"?
A message whose contents are the single line "scriptkiddie:...crypted
password...:1337:1337:,,,:/home:/bin/bash"?

In my opinion, the IO functions should throw an error any time a file
path string contains an embedded NUL. Other functions are less
critical.