|
Message-Id: <90735C03-0C34-49ED-A79A-EC0165C274CC@dwheeler.com> Date: Thu, 29 Dec 2022 12:56:22 -0500 From: "David A. Wheeler" <dwheeler@...eeler.com> To: oss-security@...ts.openwall.com Cc: Demi Marie Obenour <demi@...isiblethingslab.com>, Alejandro Colomar <alx.manpages@...il.com>, Michael Kerrisk <mtk.manpages@...il.com> Subject: Re: [patch] proc.5: tell how to parse /proc/*/stat correctly > On Dec 29, 2022, at 11:43 AM, Alan Coopersmith <alan.coopersmith@...cle.com> wrote: Another solution is to escape bytes that might cause trouble in this field, e.g., using %xx hexadecimal. So space would be %20, ")" would be %41, control characters 1-31 would be %01 to %1f, and (of course) "%" would be encoded as %25. Basically, URL-encode / Percent-encode them. See: https://en.wikipedia.org/wiki/Percent-encoding Technically this would be a userspace change, but only in cases where the system would probably have done the wrong thing previously. It's okay if we break *attacker* workflows as long as we don't break others'. An advantage of URL encoding is that, like JSON, it's a well-known format. I might do something different if this was a new system, but that seems like the least-impact approach while eliminating the problem. --- David A .Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.