[patch] alpha_strcpy for HEAD
Alexander Bokovoy
a.bokovoy at sam-solutions.net
Fri Jan 18 03:04:02 GMT 2002
On Fri, Jan 18, 2002 at 09:52:38PM +1100, Andrew Bartlett wrote:
> Alexander Bokovoy wrote:
> >
> > On Fri, Jan 18, 2002 at 08:17:44PM +1100, Andrew Bartlett wrote:
> > > > This patch just allow consider _all_ letters (including multibute ones
> > > > in e.g. UTF-8) as valid symbols.
> > > Can you tell me that all letters won't include \ ' / " * @ ! .. within
> > > that multibyte sequence?
> > >
> > > Can you tell me that they wont include a byte of value 255? That it
> > > won't inlude *any shell metacharacter*?
> > Please note that byte of value 255 is _valid_ letter (CYRILLIC SMALL
> > LETTER YA, <U044F>) in encoding CP1251 which is native Unix encoding for
> > Bulgarian and Belarusian langauges. Disabling it you're risking to break
> > support for those languages at all.
>
> This makes my point rather well actually.
>
> If sombody sends us this (special to some shells) char what should we
> do? Its a perfectly vaild char that we don't want to mess with, but it
> could also allow an exploit on particualr systems in particuar
> configurations.
>
> This is why I think we need a better way to 'vet' this incoming data.
All well-written shells (I know, you don't trust them :) take locale into
account on start. If Samba was able to pass 'unix locale'.'unix charset'
combination as $LANG environmental variable on those executions then we
could concentrate on filtering only non-alphabetic characters according
this locale (and general set of danger letters for User Manager), which
is rather easy.
Of course problem is deeper than that but it shows ways to find it out.
--
/ Alexander Bokovoy
$ cat /proc/identity >~/.signature
`Senior software developer and analyst for SaM-Solutions Ltd.`
---
Nov 21 20:58:58 alconost kernel: VFS: Busy inodes after unmount.
Self-destruct in 5 seconds. Have a nice day...
More information about the samba-technical
mailing list