Thread overview | ||||||
---|---|---|---|---|---|---|
|
February 20, 2010 [dmd-internals] Tighten security on file imports | ||||
---|---|---|---|---|
| ||||
Hi, I just saw the changeset 389[1], and I think this is going the wrong way. Security should be tighten, but trying to keep the restrictions on files as much as possible (not the other way). What is the point on not allowing, for example, "+", "-", " " and a whole lot of harmless chars? I really can't understand that change. Related to this is bug 3420[2] (with a partial, Linux/Posix-only, patch written by me), why tries to keep security loosing restrictions. You even accept "." chars in the name (in the dumb check for valid characters), which is the most harmful char that ever existed =) [1] http://www.dsource.org/projects/dmd/changeset/389 [2] http://d.puremagic.com/issues/show_bug.cgi?id=3420 -- Leandro Lucarella (AKA luca) http://llucax.com.ar/ ---------------------------------------------------------------------- GPG Key: 5F5A8D05 (F8CD F9A7 BF00 5431 4145 104C 949E BFB6 5F5A 8D05) ---------------------------------------------------------------------- |
February 21, 2010 [dmd-internals] Tighten security on file imports | ||||
---|---|---|---|---|
| ||||
Posted in reply to Leandro Lucarella | I think your patch is good for Posix, but not for Windows. I'll leave the existing code for Windows. I agree it's more restrictive than necessary, but I don't know all the tricks people use on these things, so I thought it best to err on the safe side.
Leandro Lucarella wrote:
> Hi, I just saw the changeset 389[1], and I think this is going the wrong way. Security should be tighten, but trying to keep the restrictions on files as much as possible (not the other way).
>
> What is the point on not allowing, for example, "+", "-", " " and a whole lot of harmless chars? I really can't understand that change.
>
> Related to this is bug 3420[2] (with a partial, Linux/Posix-only, patch written by me), why tries to keep security loosing restrictions.
>
> You even accept "." chars in the name (in the dumb check for valid
> characters), which is the most harmful char that ever existed =)
>
>
> [1] http://www.dsource.org/projects/dmd/changeset/389
> [2] http://d.puremagic.com/issues/show_bug.cgi?id=3420
>
>
|
February 21, 2010 [dmd-internals] Tighten security on file imports | ||||
---|---|---|---|---|
| ||||
Posted in reply to Leandro Lucarella | I did some googling on this, apparently this is not an easy fix on any system other than Linux. Changeset 396 for more details.
Leandro Lucarella wrote:
> Hi, I just saw the changeset 389[1], and I think this is going the wrong way. Security should be tighten, but trying to keep the restrictions on files as much as possible (not the other way).
>
> What is the point on not allowing, for example, "+", "-", " " and a whole lot of harmless chars? I really can't understand that change.
>
> Related to this is bug 3420[2] (with a partial, Linux/Posix-only, patch written by me), why tries to keep security loosing restrictions.
>
> You even accept "." chars in the name (in the dumb check for valid
> characters), which is the most harmful char that ever existed =)
>
>
> [1] http://www.dsource.org/projects/dmd/changeset/389
> [2] http://d.puremagic.com/issues/show_bug.cgi?id=3420
>
>
|
February 22, 2010 [dmd-internals] Tighten security on file imports | ||||
---|---|---|---|---|
| ||||
Posted in reply to Walter Bright | Walter Bright, el 21 de febrero a las 23:01 me escribiste: > I did some googling on this, apparently this is not an easy fix on any system other than Linux. Changeset 396 for more details. Fair enough. Thank you. -- Leandro Lucarella (AKA luca) http://llucax.com.ar/ ---------------------------------------------------------------------- GPG Key: 5F5A8D05 (F8CD F9A7 BF00 5431 4145 104C 949E BFB6 5F5A 8D05) ---------------------------------------------------------------------- |
Copyright © 1999-2021 by the D Language Foundation