bug-gnulib
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: glob resource exhaustion [CVE-2010-2632]

From: Bruno Haible
Subject: Re: glob resource exhaustion [CVE-2010-2632]
Date: Thu, 14 Oct 2010 02:48:52 +0200
User-agent: KMail/1.9.9 
Hi Paul,

> I agree that applications should set reasonable memory limits, but
> this is still a bug in glob, because glob should not return duplicates.
> For example, the pattern {.,.} should match just ".", not two instances
> of "." as it does now.

POSIX describes glob() in a way that precludes returning duplicates.
But the braces are a GNU extension, and the doc
  <http://www.gnu.org/software/libc/manual/html_mono/libc.html>
is pretty clear that {..,..} _will_ generate duplicates.

> Filtering out duplicates would not fix all possible denial-of-service
> attacks, but it will help

It does not help much. The expansion size is still exponential in the input
size:
  $ mkdir a b c d e f g h i j
  $ echo * | wc 
         1      10      20
  $ echo */../* | wc   
         1     100     700
  $ echo */../*/../* | wc 
         1    1000   12000
  $ echo */../*/../*/../* | wc 
         1   10000  170000
  $ echo */../*/../*/../*/../* | wc 
         1  100000 2200000

And even if "../" is disallowed, expanding */*/*/*/*/*/* on a large ftp
server will also generate thousands of file names.

Bruno
reply via email to
[Prev in Thread] Current Thread [Next in Thread]