Bugtraq mailing list archives
Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities)
From: der Mouse <mouse () Rodents Montreal QC CA>
Date: Thu, 19 Jul 2001 01:11:29 -0400 (EDT)
file:///dev/pty0However, the UNIX API has a very simple and *reliable* way around this: stat(2)
That's good enough to defend against hostile remote content - though as someone pointed out, it's arguably broken to obey file: URLs at all from anything but another file:. (Or when user-specified, of course.) However, using stat() still leaves you vulnerable to local races of the sort I'm sure we've all seen far more examples of than we'd like. I'm not even sure I'd want to disable device file:s, actually. To (probably mis-)quote someone or other, "UNIX does not prevent you from doing stupid things because that would also prevent you from doing clever things". /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse () rodents montreal qc ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities) Ishikawa (Jul 18)
- Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities) Robin Houston (Jul 18)
- Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities) David F. Skoll (Jul 18)
- Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities) aland (Jul 18)
- Internet Explorer file:// URL issues Chad Loder (Jul 19)
- Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities) Glynn Clements (Jul 19)
- Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities) Jeffrey W. Baker (Jul 18)
- Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities) Richard Kettlewell (Jul 19)
- Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities) George Staikos (Jul 20)
- <Possible follow-ups>
- Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities) der Mouse (Jul 19)