Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <F60236E0-F65A-4441-9E62-64EE55016B2C@dwheeler.com>
Date: Wed, 6 Nov 2024 10:44:55 -0500
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: oss-security@...ts.openwall.com
Subject: Re: shell wildcard expansion (un)safety



> On Nov 5, 2024, at 11:12 PM, Solar Designer <solar@...nwall.com> wrote:
> 
> Alexander Hu, CC'ed here, sent a message titled "shell expansion bug" to
> the distros list and a few other distro security contacts and shell
> maintainers.  The message described known and correct behavior (not a
> bug), even if unexpected by some and risky. ...

> Since this issue and other related ones were known for decades,
> getopt(3) and getopt_long(3), which are used by many programs, will stop
> processing options upon seeing a plain "--" argument.

However, many programs do *not* use getopt or getopt_long to process arguments.
Many programs support "--", but "not* all do,so using "--" as the sole countermeasure
requires careful review of every command's documentation.

I urge always using "./" to prefix wildcards if the first character is a wildcard,
e.g., "./*.pdf", because this ALWAYS works.

> ... over the years we gained things like ...
> 
> find . -mindepth 1 -maxdepth 1 -type f -print0 | xargs -0 grep text --

The "-print0" and "-0" options have been widely implemented, but
POSIX 2024 finally formally adds them. So I urge using them where they
make sense, as they counter embedded linefeed characters in filenames.

> Can the shells do anything to mitigate this?  I think not without
> breaking compatibility.  The only not-too-unreasonable change I can
> think of is wildcard expansion prefixing filenames with "./", maybe only
> those that start with "-" and maybe not when used with builtin "echo".

I think something like this is a good idea, hopefully it'd be an option that could eventually
be standardized. I think "./" should be prefixed if the first character is a wildcard,
so that the resulting filenames will be consistent.

A simpler approach would be to simply forbid creating filenames that
include control characters or begin with "-". If you're doing that, also consider
an option requiring UTF-8 for new filenames. The current
situation makes it unnecessarily hard to write secure programs.
I wouldn't call supporting such filenames a "security vulnerability" exactly,
but they make developing secure software harder, and nothing *requires*
that we (as an industry) support them. POSIX never guaranteed such
filenames were allowed, and even has an error code for bad filenames.

Long ago I wrong a really long essay about POSIX filename issues.
Some people here may find it interesting:
https://dwheeler.com/essays/fixing-unix-linux-filenames.html

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.