On Mon, 2 Dec 2002, Jay Beale wrote:

> This always gets classified as bad input validation. Is the right
> answer really to check for ../ 's or to canonicalize the filename
> argument and check ownerships and permissions on the file and parent
> directories?

#2 is wrong: even a root-only-writable file under root-only-writable
directories may be dangerous (e.g. a backup copy of an old and vulnerable
scheduler module). Moreover, its contents may be under the control of
other users even if the fs permission do not allow direct access (mail
queue, logs...--most of them should make it pretty difficult to create
a valid ELF object (logs) or should not appear on a properly configured
system (MTA running under root) but...)

#1 is much better assuming there is nothing but valid scheduler modules
in /kernel/sched et al (!). Nevertheless, one should always follow "the
principle of least inclusion" and check against a conservative set of
valid inputs (e.g. those matching [A-Z0-9_]{1,15}) rather than against a
set of known invalid or dangerous inputs (e.g. ../).

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."