Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities)

[aland () striker ottawa on ca]

Ishikawa <ishikawa () yk rim or jp> wrote:
> due to the problems mentioned,
> we should not forget that a famous browser client on
> Linux is similarly guilty.
>
> I tried the following URLs with
> my netscape browser under Linux.
>
>     file:///dev/null
...
>     file:///dev/zero
...
>     file:///dev/pty0

  A 'stat' of all of these files shows that they are not regular
files.  There's no reason, them, to open them in the browser.

> If someone wants to be nasty, he/she can
> create a web page with
> URLs inside <IMG SRC="these device files" ....>
> listing DOS devices as well as these popular UNIX devices.

  I question the wisdom of browsers which allow external web pages to
reference local files via 'file://' URLs.

> As someone mentioned, we can't predict what other
> device files may show up in the future by addition of
> new hardware drivers.

  We also cannot predict where special files exist, either.  Placing
the special file 'zero' in '/dev' is simply an administrative
convention on many Unix systems.  Device files can exist anywhere.

> One may be tempted to block all the files below /dev inside
> the browser/servers.
> Could this be a cure for this problem under linux/UNIX?

  No.  The browsers should be using the 'fstat' function, prior to
opening any 'file://' URL.  Regular files and directories should be
OK.  Links should have their links de-referenced, and the linked-to
file 'fstat'ed also.  Any other files should be ignored.

  Alan DeKok.