Security implications of using open() on untrusted strings.

[Thomas Bellman]

r0g <aioe.org at technicalbloke.com> wrote:

> Although it's a desktop (not internet facing) app I'm a little squeamish
> piping raw user input into a filesystem function like that and this app
> will be dealing with some particularly sensitive data so I want to be
> careful and minimize exposure where practical.

> Has programming PHP and Web stuff for years made me overly paranoid
> about this or do I should I still be scrubbing input like this before I
> feed it to filesystem functions?  If so does anyone know of a module
> that may help or have any other advice.

> Note: In this particular case the user input is only specifying the name
> of a file that will be opened for writing _not_ reading and the
> interface is GUI only (wxWidgets).

Is the user *running* the application the same as the user who
feeds it input?  If it is, then there is no need to filter the
filenames, since that user could just do "rm bad-file" (or "DEL
BAD-FILE" on MS-Windows) anyway to destroy it.

(Of course, if you are passing the filename to, e.g, os.system(),
you would need to quote it properly, but that is to avoid
surprising the user; it is one thing to let the user overwrite a
file named "foo; rm -rf $HOME", quite another to pass that string
unquoted to /bin/sh when the user thought he was just typing a
filename.)


-- 
Thomas Bellman,   Lysator Computer Club,   Linköping University,  Sweden
"I don't think [that word] means what you    !  bellman @ lysator.liu.se
 think it means."   -- The Princess Bride    !  Make Love -- Nicht Wahr!