Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
A hash-based DOS attack on Btrfs
Posted Dec 13, 2012 20:00 UTC (Thu) by tialaramex (subscriber, #21167)
Today's web browsers seem to prefer to give e.g. PDFs downloaded for viewing the filename chosen by the provider unless it is taken. That ought to allow you to wreck a vulnerable btrfs filesystem by giving carefully chosen names to a series of apparently interesting PDFs.
Posted Dec 14, 2012 17:29 UTC (Fri) by dakas (guest, #88146)
It seems like it's a little stronger constraint than "partially user selected". The users need enough knowledge of one part of the filename plus the ability to influence the other part to force the hash.
Posted Dec 17, 2012 13:15 UTC (Mon) by tialaramex (subscriber, #21167)
Most code I've worked on that downloaded arbitrary files and gave them names based on their origin (and thus which could be vulnerable to this attack) prefixed the filenames with some varying code or number such as a node identifier. So a naive "assume constant prefix" wouldn't hurt us, but if you could guess our naming scheme (and if we used btrfs) there's definitely a window.
Posted Dec 14, 2012 7:23 UTC (Fri) by eduperez (guest, #11232)
As a web developer, that situation has always seemed very scary to me: too many "what if" conditions that I could miss and leave the server open for attacks. I prefer to store such files using application-generated names, and (if needed) store the user-supplied name in a database.
Posted Dec 14, 2012 10:22 UTC (Fri) by robert_s (subscriber, #42402)
It wouldn't be particularly difficult to trick a user into unpacking an archive that had 500 crazily named files - all of a sudden, they're there on their filesystem.
And I'm sure there are plenty of web services that accept zips of multiple files to save a user having to upload them all individually. Some may unpack them all in-memory, only saving out recognized files somewhere else (probably with a different filename). But I'm sure many unpack them ("blindly") in a temporary directory and deal with them from there.
Posted Dec 15, 2012 1:00 UTC (Sat) by naptastic (subscriber, #60139)
Posted Dec 14, 2012 10:23 UTC (Fri) by Wol (guest, #4433)
Photo printers now typically print the filename on the back of the print. If I take a CD in and print from the in-store machine, it has my filename on the back. If I upload them, and get them by Royal Mail or go and collect, it has some random name on the back - and how do I *easily* track down the file it was printed from?
Posted Dec 14, 2012 11:03 UTC (Fri) by hummassa (subscriber, #307)
Posted Dec 20, 2012 3:53 UTC (Thu) by cibyr (subscriber, #87609)
Oh wait, we do have that! It's called a file system! I assume it can efficiently handle arbitrary combinations of file contents and names.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds