The dangerous, exquisite art of safely handing user-uploaded files: Tom Eastman
Marko Rauhamaa
marko at pacujo.net
Mon Aug 22 12:08:35 EDT 2016
Random832 <random832 at fastmail.com>:
> On Mon, Aug 22, 2016, at 11:40, Chris Angelico wrote:
>> Windows has some other issues, including that arbitrary files can
>> become executable very easily (eg if %PATHEXT% includes its file
>> extension), and since the current directory is always at the
>> beginning of your path, this can easily turn into a remote code
>> execution exploit.
>
> I didn't include dot in my example whitelist, and there's no mechanism
> for an attacker to add random extensions to your PATHEXT.
Years back, my FTP server was hacked by exploiting a buffer overflow.
The anonymous input directory contained a very long filename that
apparently contained some valid x86 code.
Did you vet your whitelist so it couldn't possibly be interpreted by the
CPU as meaningful instructions?
Marko
More information about the Python-list
mailing list