Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Java questions...

From: Joe Testa <jst3290 () RITVAX ISC RIT EDU>
Date: Sat, 5 Aug 2000 22:38:47 -0400
Mikael Olsson wrote:



You could be even more anal and restrict your set of characters to
"a-z", "A-Z", "0-9", "." and "_"; I don't think it would cause
any problems, except if you start serving up odd files with
spaces in them (YUCK!) and stuff like that. This is a good
measure, since you can't know what your underlying OS is
going to do to oddball characters like \0xff and company, or
wildcards for that matter. What if you run it on some
operating system that parses "/webroot/?./secret_files/" as
"/webroot/../secret_files", without your java engine knowing
about it? Okay, "?" should be treated separately, but consider
"/webroot/*./secret_files" then.

Also, you might want to consider checking for double "/" characters
("//", "\\", "/\", "\/") so that the underlying operating system
doesn't parse them as "start over at the root" or something stupid
like that, that the Java engine doesn't know about.



    Hmm.... I think these are some very interesting points, but trying
to compensate for a quirk in an operating system that doesn't exist
yet, or isn't publicly known, is impossible.

    If a Java webserver would only accept [a-zA-Z0-9], ".", and "_",
it wouldn't prevent bad things from happening if an odd operating
system interpreted the underscore character in a file operation as a
signal to reboot (!).  Or, what if an operating system was made
which uses the Arabic alphabet within Unicode to represent text,
and the ASCII subset as metacharacters?

    It seems now that it would be a good idea to add a feature that
allows users to specify legal characters in the preferences file
themselves, and have them default to [a-zA-Z0-9], "." and "_".
I'll put a section in my documentation dedicated to security and
I'll make note that my server is only *known* to be safe under
Windows and UNIX.

    So I guess the moral to all of this is to keep in mind that even in
Java's world of platform-independence, the security of code can
still be unstable.  This builds upon Bruce Schneier's article titled,
"Security Risks of Unicode" in his July 15, 2000 issue of the
CRYPTO-GRAM.

    Thanks a lot for responding; I feel that I've learned a significant
amount from this discussion!


    - Joe Testa
      ( jst3290 () cs rit edu )
Previous By Date Next
Previous By Thread Next

Current thread: