oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [patch] proc.5: tell how to parse /proc/*/stat correctly

From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Thu, 29 Dec 2022 12:56:22 -0500
On Dec 29, 2022, at 11:43 AM, Alan Coopersmith <alan.coopersmith () oracle com> wrote:



Another solution is to escape bytes that might cause trouble in this field, e.g., using %xx hexadecimal.
So space would be %20, ")" would be %41, control characters 1-31 would be %01 to %1f,
and (of course) "%" would be encoded as %25.
Basically, URL-encode / Percent-encode them. See: https://en.wikipedia.org/wiki/Percent-encoding

Technically this would be a userspace change, but only in cases where the system
would probably have done the wrong thing previously. It's okay if we break *attacker* workflows
as long as we don't break others'. An advantage of URL encoding is that,
like JSON, it's a well-known format. I might do something different if this was a new system,
but that seems like the least-impact approach while eliminating the problem.

--- David A .Wheeler
Previous By Date Next
Previous By Thread Next

Current thread: