This one time, at band camp, Moritz Muehlenhoff said: > Roland Mas wrote: > > I'd like to upload a fixed package to sid and etch-security (sarge > > is not affected). I'd welcome feedback on the patch > > I only had a brief look at it, but I generally recommend to identify > a set of allowed and known to be secure characters and only allow > these instead of filtering potential malicious characters. > So, if the value to be sanitised is a file name you could limit it to > "/", a-z, A-Z and 0-9. > > If you want to filter the input as in your proposed patch please make > sure to compare your list of harmful characters against the list from > the Security Unix Programming HOWTO: > http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/handle-metacharacters.html
This is also helpful: http://www.wiretrip.net/rfp/txt/phrack55.txt (aimed at perl, but the same principles apply). -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature