Re: joe: Potential security risk: control characters in filenames are printed without filtering.
Hi,
Since one security issue has been fixed in joe very recently, I parsed
its bug list a bit and noticed another fishy thing.
On 7 Aug 1999, which was 1 year and 112 days ago (incredible, isn't it),
Andras Korn wrote:
> if you create a file named ^G (ctrl-g) and open it in joe, you will hear a
> beep as the status line is updated; you will also hear it upon exit, when
> joe prints the message about not updating the file because it was not
> changed.
I can reproduce it, joe ^V^G and it beeps when (in)appropriate.
> A malicious user could create a file whose name contains more harmful
> control characters and wait for another user to open that file in joe
> (perhaps inadvertently; e.g. by using the TAB completion of many shells, or
> from a graphical user interface).
>
> I admit this is a long shot, but still: filenames should be filtered and
> control characters removed before the name of the file is printed.
It seems these messages are made with stuff like
sprintf(msgbuf,"File %.60s saved",s);
(BTW originally the %.60s was %s, Dale patched it)
How big a risk is this, can you security people advise me please?
> This potentially affects many other packages as well. grep is also
> vulnerable; I will post a separate report for that package, but currently
> I don't have the time to check any others.
If I run `grep -l foo' on a file called ^G, it will beep. FWIW.
--
Digital Electronic Being Intended for Assassination and Nullification
Reply to: