At last, a hope of progress [LWN.net]

At last, a hope of progress

Posted Mar 25, 2009 14:05 UTC (Wed) by epa (subscriber, #39769)
Parent article: Wheeler: Fixing Unix/Linux/POSIX Filenames

I thoroughly agree. If using a single character for end-of-line was the best design decision in UNIX, then allowing any character sequence in filenames (while at the same time including a shell and scripting environment that's easily tripped up by them) was the worst.

Look at the recent Python version that got tripped up by filenames that are not valid UTF-8. Currently on a Unix-like system you cannot assume anything more about filenames than that they're a string of bytes. This frustrates efforts to treat them as Unicode strings and cleanly allow international characters.

Or look at the whole succession of security holes in shell scripts and even other languages caused by control characters in filenames. My particular favourite is the way many innocuous-looking perl programs (containing 'while (<>)') can be induced to overwrite random files by making filenames beginning '>'.

A system-wide policy guaranteeing that only sane characters can appear in filenames would eliminate at a stroke a lot of tedious sanity-checking you have to do in userspace (not to mention the hidden bugs and security holes in many programs because the sanity-checking was not paranoid enough). Given the natural conservatism of developers, I can't be optimistic it will happen soon. But, like defaulting to relatime instead of updating atime on each access, it's a long-overdue spring clean to a particularly musty corner of the Unix way.

to post comments

At last, a hope of progress

Posted Mar 25, 2009 16:52 UTC (Wed) by mjthayer (guest, #39183) [Link] (2 responses)

Actually, I think that the shell and the scripting environment are greater problems than the permissive file names. The fact that everything is a text string to the shell is the source of so many security holes. But of course, in this case the file names are probably easier to fix by far.

At last, a hope of progress

Posted Mar 25, 2009 20:02 UTC (Wed) by mjthayer (guest, #39183) [Link] (1 responses)

Actually, the shell could help a bit. At least one thing that it could do would be to ignore files starting with a dash when expanding '*', the same way it ignores files starting with a dot. I don't know if that would be POSIX compliant, but there are more bad reasons than good for that sort of expansion. Recognising ASCII-zero as a separator for file names in a text stream might also be useful, although I have no idea what other implications that would have, and it would probably fail under many circumstances.

At last, a hope of progress

Posted Mar 29, 2009 0:01 UTC (Sun) by mikachu (guest, #5333) [Link]

On days when I'm feeling paranoid I always say ./* instead of just *, especially when talking to /bin/rm. On the other hand, touch -- -i in directories where you have important files is a nice trick too.