From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: sandeen@redhat.com, darrick.wong@oracle.com
Cc: linux-xfs@vger.kernel.org
Subject: [PATCH 07/14] xfs_scrub: check name for suspicious characters
Date: Tue, 20 Mar 2018 20:40:23 -0700 [thread overview]
Message-ID: <152160362336.8288.2857656394745535422.stgit@magnolia> (raw)
In-Reply-To: <152160358015.8288.2700156777231657519.stgit@magnolia>
From: Darrick J. Wong <darrick.wong@oracle.com>
Look for suspicious characters in each name we process. This includes
control characters, text direction overrides, zero-width code points,
and names that mix characters from different directionalities.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
scrub/unicrash.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 110 insertions(+)
diff --git a/scrub/unicrash.c b/scrub/unicrash.c
index 06ccadf..3b5b46e 100644
--- a/scrub/unicrash.c
+++ b/scrub/unicrash.c
@@ -94,6 +94,18 @@ struct unicrash {
*/
#define UNICRASH_NOT_UNIQUE (1 << 0)
+/* Name contains directional overrides. */
+#define UNICRASH_BIDI_OVERRIDE (1 << 1)
+
+/* Name mixes left-to-right and right-to-left characters. */
+#define UNICRASH_BIDI_MIXED (1 << 2)
+
+/* Control characters in name. */
+#define UNICRASH_CONTROL_CHAR (1 << 3)
+
+/* Invisible characters. Only a problem if we have collisions. */
+#define UNICRASH_ZERO_WIDTH (1 << 4)
+
/*
* We only care about validating utf8 collisions if the underlying
* system configuration says we're using utf8. If the language
@@ -267,6 +279,66 @@ name_entry_hash(
}
}
+/*
+ * Check a name for suspicious elements that have appeared in filename
+ * spoofing attacks. This includes names that mixed directions or contain
+ * direction overrides control characters, both of which have appeared in
+ * filename spoofing attacks.
+ */
+static void
+name_entry_examine(
+ struct name_entry *entry,
+ unsigned int *badflags)
+{
+ UChar32 uchr;
+ int32_t i;
+ uint8_t mask = 0;
+
+ for (i = 0; i < entry->normstrlen;) {
+ U16_NEXT_UNSAFE(entry->normstr, i, uchr);
+
+ /* zero width character sequences */
+ switch (uchr) {
+ case 0x200B: /* zero width space */
+ case 0x200C: /* zero width non-joiner */
+ case 0x200D: /* zero width joiner */
+ case 0xFEFF: /* zero width non breaking space */
+ case 0x2060: /* word joiner */
+ case 0x2061: /* function application */
+ case 0x2062: /* invisible times (multiply) */
+ case 0x2063: /* invisible separator (comma) */
+ case 0x2064: /* invisible plus (addition) */
+ *badflags |= UNICRASH_ZERO_WIDTH;
+ break;
+ }
+
+ /* control characters */
+ if (u_iscntrl(uchr))
+ *badflags |= UNICRASH_CONTROL_CHAR;
+
+ switch (u_charDirection(uchr)) {
+ case U_LEFT_TO_RIGHT:
+ mask |= 0x01;
+ break;
+ case U_RIGHT_TO_LEFT:
+ mask |= 0x02;
+ break;
+ case U_RIGHT_TO_LEFT_OVERRIDE:
+ *badflags |= UNICRASH_BIDI_OVERRIDE;
+ break;
+ case U_LEFT_TO_RIGHT_OVERRIDE:
+ *badflags |= UNICRASH_BIDI_OVERRIDE;
+ break;
+ default:
+ break;
+ }
+ }
+
+ /* mixing left-to-right and right-to-left chars */
+ if (mask == 0x3)
+ *badflags |= UNICRASH_BIDI_MIXED;
+}
+
/* Initialize the collision detector. */
static bool
unicrash_init(
@@ -369,6 +441,18 @@ unicrash_complain(
bad2 = string_escape(dup_entry->name);
/*
+ * Most filechooser UIs do not look for bidirectional overrides when
+ * they render names. This can result in misleading name presentation
+ * that makes "hig<rtl>gnp.sh" render like "highs.png".
+ */
+ if (badflags & UNICRASH_BIDI_OVERRIDE) {
+ str_warn(uc->ctx, descr,
+_("Unicode name \"%s\" in %s contains suspicious text direction overrides."),
+ bad1, what);
+ goto out;
+ }
+
+ /*
* Two names that normalize to the same string will render
* identically even though the filesystem considers them unique
* names. "cafe\xcc\x81" and "caf\xc3\xa9" have different byte
@@ -381,6 +465,30 @@ _("Unicode name \"%s\" in %s renders identically to \"%s\"."),
goto out;
}
+ /*
+ * Unfiltered control characters can mess up your terminal and render
+ * invisibly in filechooser UIs.
+ */
+ if (badflags & UNICRASH_CONTROL_CHAR) {
+ str_warn(uc->ctx, descr,
+_("Unicode name \"%s\" in %s contains control characters."),
+ bad1, what);
+ goto out;
+ }
+
+ /*
+ * It's not considered good practice (says Unicode) to mix LTR
+ * characters with RTL characters. The mere presence of different
+ * bidirectional characters isn't enough to trip up software, so don't
+ * warn about this too loudly.
+ */
+ if (badflags & UNICRASH_BIDI_MIXED) {
+ str_info(uc->ctx, descr,
+_("Unicode name \"%s\" in %s mixes bidirectional characters."),
+ bad1, what);
+ goto out;
+ }
+
out:
free(bad1);
free(bad2);
@@ -442,6 +550,8 @@ __unicrash_check_name(
if (!name_entry_create(uc, name, ino, &new_entry))
return true;
+ name_entry_examine(new_entry, &badflags);
+
moveon = unicrash_add(uc, new_entry, &badflags, &dup_entry);
if (!moveon)
return false;
next prev parent reply other threads:[~2018-03-21 3:40 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-21 3:39 [PATCH 00/14] xfsprogs: online scrub fixes Darrick J. Wong
2018-03-21 3:39 ` [PATCH 01/14] xfs_scrub: avoid buffer overflow when scanning attributes Darrick J. Wong
2018-04-03 17:30 ` Eric Sandeen
2018-04-05 3:57 ` Darrick J. Wong
2018-04-11 0:20 ` Darrick J. Wong
2018-04-11 0:27 ` [PATCH v2 " Darrick J. Wong
2018-03-21 3:39 ` [PATCH 02/14] xfs_scrub: only run ascii name checks if unicode name checker Darrick J. Wong
2018-04-03 17:49 ` Eric Sandeen
2018-03-21 3:39 ` [PATCH 03/14] xfs_scrub: don't complain about different normalization Darrick J. Wong
2018-04-10 23:37 ` Eric Sandeen
2018-03-21 3:40 ` [PATCH 04/14] xfs_scrub: communicate name problems via flagset instead of booleans Darrick J. Wong
2018-04-10 23:46 ` Eric Sandeen
2018-03-21 3:40 ` [PATCH 05/14] xfs_scrub: make name_entry a first class structure Darrick J. Wong
2018-03-21 3:40 ` [PATCH 06/14] xfs_scrub: transition from libunistring to libicu for Unicode processing Darrick J. Wong
2018-03-21 3:40 ` Darrick J. Wong [this message]
2018-03-21 3:40 ` [PATCH 08/14] xfs_scrub: use Unicode skeleton function to find confusing names Darrick J. Wong
2018-03-26 19:58 ` [PATCH v2 " Darrick J. Wong
2018-03-21 3:40 ` [PATCH 09/14] xfs_scrub: don't warn about confusing names if dir/file only writable by root Darrick J. Wong
2018-03-26 19:59 ` [PATCH v2 " Darrick J. Wong
2018-03-21 3:40 ` [PATCH 10/14] xfs_scrub: refactor mountpoint finding code to use libfrog path code Darrick J. Wong
2018-04-11 1:48 ` Eric Sandeen
2018-03-21 3:40 ` [PATCH 11/14] xfs_scrub_all: report version Darrick J. Wong
2018-04-11 0:28 ` Eric Sandeen
2018-03-21 3:40 ` [PATCH 12/14] xfs_scrub: disable private /tmp for scrub service Darrick J. Wong
2018-04-11 1:45 ` Eric Sandeen
2018-04-11 1:49 ` Darrick J. Wong
2018-04-11 1:53 ` [PATCH v2 " Darrick J. Wong
2018-03-21 3:41 ` [PATCH 13/14] xfs_scrub_all: escape paths being passed to systemd service instances Darrick J. Wong
2018-04-11 1:31 ` Eric Sandeen
2018-03-21 3:41 ` [PATCH 14/14] xfs_scrub_all: use system encoding for lsblk output decoding Darrick J. Wong
2018-04-11 1:35 ` Eric Sandeen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=152160362336.8288.2857656394745535422.stgit@magnolia \
--to=darrick.wong@oracle.com \
--cc=linux-xfs@vger.kernel.org \
--cc=sandeen@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox