Bugtraq mailing list archives
Re: Sendmail 8.6.10: what's different?
From: cwe () it kth se (Christian Wettergren)
Date: Fri, 24 Feb 95 15:32:59 +0100
| On Thu, 23 Feb 1995, der Mouse wrote: | > cleanstrcpy(), referred to several times above, is like strcpy, but it | > strips newlines and copies only a restricted set of characters: | > letters, digits, and !#$%&'*+-./^_`{|}~ - why that set was chosen, | > there's no indication. The reason for that set of characters are that it is the characters that "divide" input into tokens in /bin/sh. CERT once recommended me to use the following set of filtered characters '"', '*', '&', '|', '$', ';', '`', '\', '=', '?', '<', '>', '!', '(', ')', '\n', '{', '}', '[', ']', '^', '`' that is "\"*&|$;'\\=?<>!()\n{}[]^`" If we diff the two sets, we get common: !$*&|'^`{} sendmail: #%+-./_~ cert: ";\=?<>()\n[] There are a few ones missing above, that maybe should be included, like '[' and ']'. There is also a number of additional characters '#', '%', '+', '-', '.', '/', '_' and '~', which I take as erring on the safe side, like avoiding the possibility of specifying paths and arguments to programs. | Actually, I like the approach of "explicitly listing what we know is | good", rather than "exclude characters that we know of that are bad" - | it's a lot safer to verify and has less suprises down the track. Do you mean that one could miss a few of them? Unthinkable! :-) /Christian Wettergren
Current thread:
- Re: Sendmail 8.6.9 security hole, (continued)
- Re: Sendmail 8.6.9 security hole Christopher Samuel (Feb 23)
- Sun Security Bulletin #129 (sendmail) Mark Graff (Feb 22)
- new sendmail bug? James W. Abendschan (Feb 22)
- Re: new sendmail bug? joel (Feb 22)
- Re: new sendmail bug? Dave Horsfall (Feb 22)
- Sendmail 8.6.10: what's different? der Mouse (Feb 23)
- X keyboard sniffing Paul Howell (Feb 23)
- Re: Sendmail 8.6.10: what's different? Igor V. Semenyuk (Feb 23)
- Re: Sendmail 8.6.10: what's different? Peter Wemm (Feb 24)
- Re: Sendmail 8.6.10: what's different? Peter Wemm (Feb 23)
- Re: Sendmail 8.6.10: what's different? Christian Wettergren (Feb 24)
- Re: new sendmail bug? Michael Van Norman (Feb 23)
- Re: snooper watchers Aleph One (Feb 22)
- Re: HP-UX Problem... Pete Shipley (Feb 21)