Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities)

[Glynn Clements <glynn.clements () virgin net>]

aland () striker ottawa on ca wrote:

> > One may be tempted to block all the files below /dev inside
> > the browser/servers.
> > Could this be a cure for this problem under linux/UNIX?
>
>   No.  The browsers should be using the 'fstat' function, prior to
> opening any 'file://' URL.

fstat() requires a descriptor; you need to use stat().

BTW, on Unix, simply open()ing a device can have undesirable
consequences, hence the need to use stat() before opening the file.

> Regular files and directories should be
> OK.  Links should have their links de-referenced, and the linked-to
> file 'fstat'ed also.  Any other files should be ignored.

Symbolic links don't show up in the results from stat() or fstat();
you would need to use lstat() if you wanted to identify links (in this
case, you don't).

I notice that the Windows mechanism which is being recommended, i.e.
GetFileType(), requires a file handle. As Alun Jones pointed out:

> The person quoted here doesn't indicate whether it is merely opening the 
> device files, or trying to access (read or write) their contents, is what 
> will "wedge the DOS box" - if the former, then GetFileType is sadly of no 
> assistance.

Can anyone shed any light upon whether the act of opening a device
under Windows can have undesirable side effects?
-- 
Glynn Clements <glynn.clements () virgin net>