From oss-security  Thu Dec 29 17:56:22 2022
From: "David A. Wheeler" <dwheeler () dwheeler ! com>
Date: Thu, 29 Dec 2022 17:56:22 +0000
To: oss-security
Subject: Re: [oss-security] [patch] proc.5: tell how to parse /proc/*/stat correctly
Message-Id: <90735C03-0C34-49ED-A79A-EC0165C274CC () dwheeler ! com>
X-MARC-Message: https://marc.info/?l=oss-security&m=167233618400664

> On Dec 29, 2022, at 11:43 AM, Alan Coopersmith =
<alan.coopersmith@oracle.com> wrote:


Another solution is to escape bytes that might cause trouble in this =
field, e.g., using %xx hexadecimal.
So space would be %20, ")" would be %41, control characters 1-31 would =
be %01 to %1f,
and (of course) "%" would be encoded as %25.
Basically, URL-encode / Percent-encode them. See: =
https://en.wikipedia.org/wiki/Percent-encoding

Technically this would be a userspace change, but only in cases where =
the system
would probably have done the wrong thing previously. It's okay if we =
break *attacker* workflows
as long as we don't break others'. An advantage of URL encoding is that,
like JSON, it's a well-known format. I might do something different if =
this was a new system,
but that seems like the least-impact approach while eliminating the =
problem.

--- David A .Wheeler