On Mon, Dec 06, 2010 at 09:28:39AM -0800, Zach Carter wrote: > On Sunday 05 December 2010 13:25:57 Roger Leigh wrote: > > Can anyone see any downside from being this permissive, or any > > security implication I've not seen? (I'm only looking at pathname- > > based security exploits here--is there anything else we need to > > worry about?) > > Like lvm, it might be wise to check that btrfs supports the various allowed > characters. I saw one reference to an old btrfs man page that disallows both > types of slashes, however the current man page does not mention the > restriction. > > I don't have time at the moment, but I can try to test some scenarios some > time later this week.
That would be very useful, thanks. I did a few quick tests, and it seems fairly permissive: % sudo btrfs subvolume snapshot /srv/chroot/sid '/srv/chroot/!"£$%^&*()\\#~<>,.?\|' Create a snapshot of '/srv/chroot/sid' in '/srv/chroot/!"£$%^&*()\\#~<>,.?\|' % sudo btrfs subvolume snapshot /srv/chroot/sid "/srv/chroot/bb;:\\'@+=_-" Create a snapshot of '/srv/chroot/sid' in '/srv/chroot/bb;:\'@+=_-' % sudo btrfs subvolume snapshot /srv/chroot/sid '/srv/chroot/aa…•→ǒ¢™⁶' Create a snapshot of '/srv/chroot/sid' in '/srv/chroot/aa…•→ǒ¢™⁶' ravenclaw% ls -1 /srv/chroot !"£$%^&*()\\#~<>,.?\| aa…•→ǒ¢™⁶ bb;:\'@+=_- sid […] Thanks, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
signature.asc
Description: Digital signature
