|
|
Subscribe / Log in / New account

Local root vulnerability in snap-confine

Local root vulnerability in snap-confine

Posted Feb 20, 2022 3:03 UTC (Sun) by foom (subscriber, #14868)
In reply to: Local root vulnerability in snap-confine by epa
Parent article: Local root vulnerability in snap-confine

Eh? No use for spaces and parentheses? Both of those are incredibly useful in filenames for humans! Characters like newlines or tabs, sure -- those have no place in filenames. And you could arguably exclude double quotes as well, but a filename like "Aaron's Report: Cats (2010)" is completely reasonable.

If there's blame to be had, it'd be for the Unix shell language which treats strings in a variable unsafely by default!

to post comments

Local root vulnerability in snap-confine

Posted Feb 21, 2022 7:01 UTC (Mon) by epa (subscriber, #39769) [Link] (5 responses)

I meant mount points should be restricted to alphanumeric and -_. characters. For filenames in general I agree that humans expect to use ().

On some platforms space is not a legal character in filenames but you can use non-breaking space, which isn’t treated specially by the shell. I’m not sure whether that is better or worse.

Local root vulnerability in snap-confine

Posted Feb 21, 2022 12:43 UTC (Mon) by zdzichu (subscriber, #17118) [Link] (4 responses)

Even "-" character should not be allowed as the first character of a filename. There are many gotchas with various characters. David A. Wheeler summarized them neatly in https://dwheeler.com/essays/fixing-unix-linux-filenames.html .

Local root vulnerability in snap-confine

Posted Feb 21, 2022 13:37 UTC (Mon) by adobriyan (subscriber, #30858) [Link] (3 responses)

> Even "-" character should not be allowed as the first character of a filename.

'-' is allowed in URLs. Any site issuing randomised names (like: YT) to user submitted content will create a file starting with minus easily.

Local root vulnerability in snap-confine

Posted Feb 21, 2022 14:15 UTC (Mon) by zdzichu (subscriber, #17118) [Link] (2 responses)

Everything except NULL and / is allowed in filenames. But it doesn't mean it's a good idea to use it. Please take time to read the essay, it is eye-opening.

And you do not need a website. Just touch -- --foot-shooter (or touch -- -rf\ . if you like).

Local root vulnerability in snap-confine

Posted Feb 21, 2022 17:33 UTC (Mon) by adobriyan (subscriber, #30858) [Link] (1 responses)

David Wheeler's proposal would ban every ~1/(26+26+10+4) = 1/66-th video downloaded by youtube-dl. It is too late to ban anything.

GNU ls(1) started to quote filenames with spaces at some point, it was huge step in right direction because copy paste suddenly started working "out of the box". More features lke this are necessary.

Local root vulnerability in snap-confine

Posted Feb 21, 2022 18:04 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

> David Wheeler's proposal would ban every ~1/(26+26+10+4) = 1/66-th video downloaded by youtube-dl. It is too late to ban anything.

Just add automatic escaping for such names.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds