Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <90735C03-0C34-49ED-A79A-EC0165C274CC@dwheeler.com>
Date: Thu, 29 Dec 2022 12:56:22 -0500
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: oss-security@...ts.openwall.com
Cc: Demi Marie Obenour <demi@...isiblethingslab.com>,
 Alejandro Colomar <alx.manpages@...il.com>,
 Michael Kerrisk <mtk.manpages@...il.com>
Subject: Re: [patch] proc.5: tell how to parse /proc/*/stat
 correctly

> On Dec 29, 2022, at 11:43 AM, Alan Coopersmith <alan.coopersmith@...cle.com> wrote:


Another solution is to escape bytes that might cause trouble in this field, e.g., using %xx hexadecimal.
So space would be %20, ")" would be %41, control characters 1-31 would be %01 to %1f,
and (of course) "%" would be encoded as %25.
Basically, URL-encode / Percent-encode them. See: https://en.wikipedia.org/wiki/Percent-encoding

Technically this would be a userspace change, but only in cases where the system
would probably have done the wrong thing previously. It's okay if we break *attacker* workflows
as long as we don't break others'. An advantage of URL encoding is that,
like JSON, it's a well-known format. I might do something different if this was a new system,
but that seems like the least-impact approach while eliminating the problem.

--- David A .Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.