[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] [patch] proc.5: tell how to parse /proc/*/stat correctly
From:       "David A. Wheeler" <dwheeler () dwheeler ! com>
Date:       2022-12-29 17:56:22
Message-ID: 90735C03-0C34-49ED-A79A-EC0165C274CC () dwheeler ! com
[Download RAW message or body]

> On Dec 29, 2022, at 11:43 AM, Alan Coopersmith =
<alan.coopersmith@oracle.com> wrote:


Another solution is to escape bytes that might cause trouble in this =
field, e.g., using %xx hexadecimal.
So space would be %20, ")" would be %41, control characters 1-31 would =
be %01 to %1f,
and (of course) "%" would be encoded as %25.
Basically, URL-encode / Percent-encode them. See: =
https://en.wikipedia.org/wiki/Percent-encoding

Technically this would be a userspace change, but only in cases where =
the system
would probably have done the wrong thing previously. It's okay if we =
break *attacker* workflows
as long as we don't break others'. An advantage of URL encoding is that,
like JSON, it's a well-known format. I might do something different if =
this was a new system,
but that seems like the least-impact approach while eliminating the =
problem.

--- David A .Wheeler

[prev in list] [next in list] [prev in thread] [next in thread]