[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: glob resource exhaustion [CVE-2010-2632]
From: |
Bruno Haible |
Subject: |
Re: glob resource exhaustion [CVE-2010-2632] |
Date: |
Thu, 14 Oct 2010 02:48:52 +0200 |
User-agent: |
KMail/1.9.9 |
Hi Paul,
> I agree that applications should set reasonable memory limits, but
> this is still a bug in glob, because glob should not return duplicates.
> For example, the pattern {.,.} should match just ".", not two instances
> of "." as it does now.
POSIX describes glob() in a way that precludes returning duplicates.
But the braces are a GNU extension, and the doc
<http://www.gnu.org/software/libc/manual/html_mono/libc.html>
is pretty clear that {..,..} _will_ generate duplicates.
> Filtering out duplicates would not fix all possible denial-of-service
> attacks, but it will help
It does not help much. The expansion size is still exponential in the input
size:
$ mkdir a b c d e f g h i j
$ echo * | wc
1 10 20
$ echo */../* | wc
1 100 700
$ echo */../*/../* | wc
1 1000 12000
$ echo */../*/../*/../* | wc
1 10000 170000
$ echo */../*/../*/../*/../* | wc
1 100000 2200000
And even if "../" is disallowed, expanding */*/*/*/*/*/* on a large ftp
server will also generate thousands of file names.
Bruno