Local root vulnerability in snap-confine [LWN.net]

Local root vulnerability in snap-confine

Posted Feb 21, 2022 12:43 UTC (Mon) by zdzichu (subscriber, #17118)
In reply to: Local root vulnerability in snap-confine by epa
Parent article: Local root vulnerability in snap-confine

Even "-" character should not be allowed as the first character of a filename. There are many gotchas with various characters. David A. Wheeler summarized them neatly in https://dwheeler.com/essays/fixing-unix-linux-filenames.html .

to post comments

Local root vulnerability in snap-confine

Posted Feb 21, 2022 13:37 UTC (Mon) by adobriyan (subscriber, #30858) [Link] (3 responses)

> Even "-" character should not be allowed as the first character of a filename.

'-' is allowed in URLs. Any site issuing randomised names (like: YT) to user submitted content will create a file starting with minus easily.

Local root vulnerability in snap-confine

Posted Feb 21, 2022 14:15 UTC (Mon) by zdzichu (subscriber, #17118) [Link] (2 responses)

Everything except NULL and / is allowed in filenames. But it doesn't mean it's a good idea to use it. Please take time to read the essay, it is eye-opening.

And you do not need a website. Just touch -- --foot-shooter (or touch -- -rf\ . if you like).

Local root vulnerability in snap-confine

Posted Feb 21, 2022 17:33 UTC (Mon) by adobriyan (subscriber, #30858) [Link] (1 responses)

David Wheeler's proposal would ban every ~1/(26+26+10+4) = 1/66-th video downloaded by youtube-dl. It is too late to ban anything.

GNU ls(1) started to quote filenames with spaces at some point, it was huge step in right direction because copy paste suddenly started working "out of the box". More features lke this are necessary.

Local root vulnerability in snap-confine

Posted Feb 21, 2022 18:04 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

> David Wheeler's proposal would ban every ~1/(26+26+10+4) = 1/66-th video downloaded by youtube-dl. It is too late to ban anything.

Just add automatic escaping for such names.