1578 – The "best effort" charset conversion path is potentially insecure

Bug 1578 - The "best effort" charset conversion path is potentially insecure

Summary: The "best effort" charset conversion path is potentially insecure

Status:	CLOSED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	Extended Characters (show other bugs)
Version:	3.0.4
Hardware:	All Linux

Importance:	P3 major
Target Milestone:	none
Assignee:	Jim McDonough
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-08-01 19:58 UTC by Alexander E. Patrakov
Modified:	2005-08-24 10:18 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
This patch implements the "default character" solution (4.75 KB, patch) 2004-08-05 21:36 UTC, Alexander E. Patrakov	no flags	Details
This patch implements the "default character" solution (4.69 KB, patch) 2004-08-06 04:28 UTC, Alexander E. Patrakov	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander E. Patrakov 2004-08-01 19:58:17 UTC

The bug is located in source/lib/charcnv.c, after the use_as_is labels.

The code that "converts" from UCS-2 to multibyte contains the following statement:

*outbuf = inbuf[0];

This means that as a result of such "conversion", the following characters may
appear in outbuf:

1) Null byte (0x00)
2) Dot (.)
3) Slash (/ or \)
4) Any other character with the code less than 0x20 - Windows won't accept it
and it will not be easy to delete the file. This actually happens with the
NUMERO SIGN in Russia (UCS2-LE for NUMERO is 0x16 0x21, and it gets mapped to 0x16).

The same issue applies to other "conversion" cases (bad multibyte => UCS-2 and
multibyte => multibyte).

The points (1) - (3) very probably lead to exploits (I am too lazy to actually
search for an exploit, but I am sure it exists).

A much better solution is to just substitute any bad character with an
underscore (or whatever the user specifies in the smb.conf file as a new "bad
character replacement" global parameter).

Another solution is to do the URL-style percent-escaping of bad characters, but
I would prefer to be able to choose between the two mechanisms.

Comment 1 Alexander E. Patrakov 2004-08-05 21:36:21 UTC

Created attachment 595 [details]
This patch implements the "default character" solution

This patch implements the "default character" solution. It does not modify the
smb.conf manual page, although it should. Please add the following description
to the new "default char" global option:

This controls the replacement character used instead of inconvertible one when
the precise conversion between two character sets is not possible. The default
is a '_' but this may interfere with some software. Use this option to set it
to whatever you prefer. The value must be an ASCII character.

Default: default char = _
Example: default char = X

Comment 2 Alexander E. Patrakov 2004-08-06 04:28:44 UTC

Created attachment 596 [details]
This patch implements the "default character" solution

The previous patch had a typo in it

Comment 3 Alexander Bokovoy 2004-08-08 23:40:45 UTC

Reassigning to Jim temporarily as I can't commit patches due to some internal
reasons.

Comment 4 Jeremy Allison 2004-08-09 19:06:49 UTC

Applied, except I hardcoded the char to '_'. I really don't want a new parameter.
Jeremy.

Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:18:24 UTC

sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.