From mboxrd@z Thu Jan  1 00:00:00 1970
From: John Newbigin <jn@it.swin.edu.au>
Subject: Re: RFC: Illegal Characters in File Names
Date: Wed, 21 Jul 2004 09:52:21 +1000
Sender: linux-fsdevel-owner@vger.kernel.org
Message-ID: <40FDB035.1050000@it.swin.edu.au>
References: <20040720205733.GN3227@vagabond> <200407202109.i6KL9f318138@watkins-home.com> <20040720221328.GH12308@parcelfarce.linux.theplanet.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Guy <bugzilla@watkins-home.com>, 'Jan Hudec' <bulb@ucw.cz>,
	'Bryan Henderson' <hbryan@us.ibm.com>,
	linux-fsdevel@vger.kernel.org,
	"'Joseph D. Wagner'" <theman@josephdwagner.info>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from venus.it.swin.edu.au ([136.186.5.30]:9127 "EHLO it.swin.edu.au")
	by vger.kernel.org with ESMTP id S266364AbUGTXwf (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 20 Jul 2004 19:52:35 -0400
To: viro@parcelfarce.linux.theplanet.co.uk
In-Reply-To: <20040720221328.GH12308@parcelfarce.linux.theplanet.co.uk>
List-Id: linux-fsdevel.vger.kernel.org

viro@parcelfarce.linux.theplanet.co.uk wrote:
...
> "If someone used the above method, they may be able to cause a simple "ll"
> command to cause another program to be run!"
> 
> Mind showing the sequence that would achieve that?

http://www.kb.cert.org/vuls/id/230561
http://www.digitaldefense.net/labs/papers/Termulation.txt
Read this page ^^^^ !!!!

These are poor protocols which were not designed for security :(

It is a real problem.  The solution is to fix the terminal though, not 
the filesystem.

Anyone with "mesy y" may be vulnerable to a host of malicious or just 
fun tricks.  (set font color to black on black is my fav.)

If you must filter your file names, why not build a filter mechanism 
which can do this?

John.

-- 
John Newbigin - Computer Systems Officer
School of Information Technology
Swinburne University of Technology
Melbourne, Australia
http://www.it.swin.edu.au/staff/jnewbigin