order of string subs could be possible security hole
Andy Bakun
abakun at reac.com
Thu Jul 8 21:03:18 GMT 1999
Nicolas Williams pointed out a possible problem in my close command patch
which did the following order of string substitutions:
string_sub(syscmd, "%s", filename);
string_sub(syscmd, "%f", filename);
standard_sub(conn,syscmd);
Unfortunately, this meant that a filename could contain various
%-substitutions that would be expanded by standard_sub. I've reordered this
in the close-command patch (www.reac.com/samba/2.0.4) to be
standard_sub(conn,syscmd);
string_sub(syscmd, "%s", filename);
string_sub(syscmd, "%f", filename);
so the filename is expanded last, thereby preserving any %-macros that exist
in the name. I originally did the standard_sub last because I modeled my
close-cmd code after the printing subsystem code, which also does the
standard_sub last. Nicolas and I are both concerned that the order of string
subs may be a possible security hole, especially when it comes to root preexec
scripts and the like, since there are number of places in the samba code where
the security of samba could be dependant on the order of string subs. Any
comments on the security implications of this?
Andy.
More information about the samba-technical
mailing list