Vulnerability Development mailing list archives
Re: Java questions...
From: Joe Testa <jst3290 () RITVAX ISC RIT EDU>
Date: Sat, 5 Aug 2000 22:38:47 -0400
Mikael Olsson wrote:
You could be even more anal and restrict your set of characters to "a-z", "A-Z", "0-9", "." and "_"; I don't think it would cause any problems, except if you start serving up odd files with spaces in them (YUCK!) and stuff like that. This is a good measure, since you can't know what your underlying OS is going to do to oddball characters like \0xff and company, or wildcards for that matter. What if you run it on some operating system that parses "/webroot/?./secret_files/" as "/webroot/../secret_files", without your java engine knowing about it? Okay, "?" should be treated separately, but consider "/webroot/*./secret_files" then. Also, you might want to consider checking for double "/" characters ("//", "\\", "/\", "\/") so that the underlying operating system doesn't parse them as "start over at the root" or something stupid like that, that the Java engine doesn't know about.
Hmm.... I think these are some very interesting points, but trying to compensate for a quirk in an operating system that doesn't exist yet, or isn't publicly known, is impossible. If a Java webserver would only accept [a-zA-Z0-9], ".", and "_", it wouldn't prevent bad things from happening if an odd operating system interpreted the underscore character in a file operation as a signal to reboot (!). Or, what if an operating system was made which uses the Arabic alphabet within Unicode to represent text, and the ASCII subset as metacharacters? It seems now that it would be a good idea to add a feature that allows users to specify legal characters in the preferences file themselves, and have them default to [a-zA-Z0-9], "." and "_". I'll put a section in my documentation dedicated to security and I'll make note that my server is only *known* to be safe under Windows and UNIX. So I guess the moral to all of this is to keep in mind that even in Java's world of platform-independence, the security of code can still be unstable. This builds upon Bruce Schneier's article titled, "Security Risks of Unicode" in his July 15, 2000 issue of the CRYPTO-GRAM. Thanks a lot for responding; I feel that I've learned a significant amount from this discussion! - Joe Testa ( jst3290 () cs rit edu )
Current thread:
- Java questions... Joe Testa (Aug 03)
- Re: Java questions... Mikael Olsson (Aug 05)
- Re: Java questions... Joe Testa (Aug 06)
- Re: Java questions... Mikael Olsson (Aug 05)