LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Secure-Programs-HOWTO/file-names.html

278 lines
7.0 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>File Names</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Secure Programming for Linux and Unix HOWTO"
HREF="index.html"><LINK
REL="UP"
TITLE="Validate All Input"
HREF="input.html"><LINK
REL="PREVIOUS"
TITLE="File Descriptors"
HREF="file-descriptors.html"><LINK
REL="NEXT"
TITLE="File Contents"
HREF="file-contents.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Secure Programming for Linux and Unix HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="file-descriptors.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 5. Validate All Input</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="file-contents.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="FILE-NAMES"
></A
>5.4. File Names</H1
><P
>The names of files can, in certain circumstances, cause serious problems.
This is especially a problem for secure programs that run on computers
with local untrusted users, but this isn't limited to that circumstance.
Remote users may be able to trick a program into creating undesirable
filenames (programs should prevent this, but not all do), or remote
users may have partially penetrated a system and try using this trick
to penetrate the rest of the system.</P
><P
>Usually you will want to not include ``..''
(higher directory) as a legal value from an untrusted user, though
that depends on the circumstances.
You might also want to list only the characters you will permit, and
forbidding any filenames that don't match the list.
It's best to prohibit any change in directory, e.g., by not
including ``/'' in the set of legal characters, if you're taking data
from an external user and transforming it into a filename.</P
><P
>Often you shouldn't support ``globbing'', that is,
expanding filenames using ``*'', ``?'', ``['' (matching ``]''),
and possibly ``{'' (matching ``}'').
For example, the command ``ls *.png'' does a glob on ``*.png'' to list
all PNG files.
The C fopen(3) command (for example) doesn't do globbing, but the command
shells perform globbing by default, and in C you can request globbing
using (for example) glob(3).
If you don't need globbing, just use the calls that don't do it where
possible (e.g., fopen(3)) and/or disable them
(e.g., escape the globbing characters in a shell).
Be especially careful if you want to permit globbing.
Globbing can be useful, but complex globs can take a great deal of computing
time.
For example, on some ftp servers, performing a few of these requests can
easily cause a denial-of-service of the entire machine:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>ftp&#62; ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*</PRE
></FONT
></TD
></TR
></TABLE
>
Trying to allow globbing, yet limit globbing patterns, is probably futile.
Instead, make sure that any such programs run as a separate process and
use process limits to limit the amount of CPU and other resources
they can consume.
See <A
HREF="minimize-privileges.html#MINIMIZE-RESOURCES"
>Section 7.4.8</A
> for more information on this
approach, and see <A
HREF="quotas.html"
>Section 3.6</A
> for more information
on how to set these limits.</P
><P
>Unix-like systems generally forbid including the NIL character in a filename
(since this marks the end of the name) and the '/' character
(since this is the directory separator).
However, they often permit anything else, which is a problem;
it is easy to write programs that can be subverted by cleverly-created
filenames.</P
><P
>Filenames that can especially cause problems include:
<P
></P
><UL
><LI
><P
>Filenames with leading dashes (-).
If passed to other programs, this may cause the other programs to
misinterpret the name as option settings.
Ideally, Unix-like systems shouldn't allow these filenames;
they aren't needed and create many unnecessary security problems.
Unfortunately, currently developers have to deal with them.
Thus, whenever calling another program with a filename, insert
``--'' before the filename parameters (to stop option processing, if
the program supports this common request) or modify the filename
(e.g., insert ``./'' in front of the filename to keep the dash from
being the lead character).</P
></LI
><LI
><P
>Filenames with control characters.
This especially includes newlines and carriage returns (which are
often confused as argument separators inside shell scripts, or can
split log entries into multiple entries) and the
ESCAPE character (which can interfere with terminal emulators, causing
them to perform undesired actions outside the user's control).
Ideally, Unix-like systems shouldn't allow these filenames either;
they aren't needed and create many unnecessary security problems.</P
></LI
><LI
><P
>Filenames with spaces; these can sometimes confuse a shell into being
multiple arguments, with the other arguments causing problems.
Since other operating systems allow spaces in filenames (including
Windows and MacOS), for interoperability's sake this will probably
always be permitted.
Please be careful in dealing with them, e.g., in the shell use
double-quotes around all filename parameters whenever calling another
program.
You might want to forbid leading and trailing spaces at least; these
aren't as visible as when they occur in other places, and can confuse
human users.</P
></LI
><LI
><P
>Invalid character encoding.
For example, a program may believe that the filename is UTF-8 encoded,
but it may have an invalidly long UTF-8 encoding.
See <A
HREF="character-encoding.html#CHARACTER-ENCODING-UTF8"
>Section 5.9.2</A
> for more information.
I'd like to see agreement on the character encoding used for filenames
(e.g., UTF-8), and then have the operating system enforce the encoding
(so that only legal encodings are allowed), but that hasn't happened
at this time.</P
></LI
><LI
><P
>Another other character special to internal data formats, such as ``&#60;'',
``;'', quote characters, backslash, and so on.</P
></LI
></UL
></P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="file-descriptors.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="file-contents.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>File Descriptors</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="input.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>File Contents</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink