LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A hash-based DOS attack on Btrfs

A hash-based DOS attack on Btrfs

Posted Dec 14, 2012 10:22 UTC (Fri) by robert_s (subscriber, #42402)
In reply to: A hash-based DOS attack on Btrfs by eduperez
Parent article: A hash-based DoS attack on Btrfs

People seem to be overlooking zipfiles/tarballs.

It wouldn't be particularly difficult to trick a user into unpacking an archive that had 500 crazily named files - all of a sudden, they're there on their filesystem.

And I'm sure there are plenty of web services that accept zips of multiple files to save a user having to upload them all individually. Some may unpack them all in-memory, only saving out recognized files somewhere else (probably with a different filename). But I'm sure many unpack them ("blindly") in a temporary directory and deal with them from there.

(Log in to post comments)

A hash-based DOS attack on Btrfs

Posted Dec 15, 2012 1:00 UTC (Sat) by naptastic (subscriber, #60139) [Link]

Let's say a malicious user uploads a bunch of these files through a compromised Wordpress or Joomla site. I realize this is a bit of a stretch, given how secure these platforms have historically been, but bear with me. If these files contain code that hackers can use to do... whatever it is they do... wouldn't this make it very difficult to clean the account?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds