...
| Wiki Markup |
|---|
Data sanitization requires an understanding of the data being passed and the capabilities of the subsystem. John Viega and Matt Messier provide an example of an application that inputs an email address into a buffer and then uses this string as an argument in a call to {{system()}} \[[Viega 2003|AA. Bibliography#Viega 03]\]: |
| Code Block |
|---|
|
sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
system(buffer);
|
...
The white listing approach to data sanitization is to define a list of acceptable characters and remove any character that is not acceptable. The list of valid input values is typically a predictable, well-defined set of manageable size. This example, based on the tcp_wrappers package written by Wietse Venema, shows the white listing approach.
| Code Block |
|---|
|
static char ok_chars[] = "abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"1234567890_-.@";
char user_data[] = "Bad char 1:} Bad char 2:{";
char *cp = user_data; /* cursor into string */
const char *end = user_data + strlen( user_data);
for (cp += strspn(cp, ok_chars); cp != end; cp += strspn(cp, ok_chars)) {
*cp = '_';
}
|
...
The vulnerability in in.telnetd invokes the login program by calling execl(). This call passes unsanitized data from an untrusted source (the USER environment variable) as an argument to the login program.
| Code Block |
|---|
|
(void) execl(LOGIN_PROGRAM, "login",
"-p",
"-d", slavename,
"-h", host,
"-s", pam_svc_name,
(AuthenticatingUser != NULL ? AuthenticatingUser :
getenv("USER")),
0);
|
...
The following compliant solution inserts the "--" argument before the call to getenv("USER") in the call to execl():
| Code Block |
|---|
|
(void) execl(LOGIN_PROGRAM, "login",
"-p",
"-d", slavename,
"-h", host,
"-s", pam_svc_name,
"--",
(AuthenticatingUser != NULL ? AuthenticatingUser :
getenv("USER")), 0);
|
...
