-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pinger argument unparsing unsoundness #238
Comments
You're right, the whole process of |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For Reasons I was looking at the source code for this crate, and I found code like this:
This is unsound, because if
target
starts with a-
it will be interpreted byping
as an option. (By unsound I mean this: if this API is passed untrusted input, undesirable malfunctions, which might be security relevant, can occur.)I don't think this is very exploitable, on Linux at least, because almost all of the options also require a target, which when this malfunction occurs won't be supplied. The worst that can be done seems to be to pass
-V
or-h
and cause the rest of the pinger library to try to parse the help or version output, which will be a malfunction, but fairly harmless.I suggest that the
ping_args
function ought to take something liketarget: SyntaxCheckedTargetHost
(withstruct SyntaxCheckedTargetHost(String)
and then in the common code you would check that the thing starts with an alphanumeric or[
or:
when constructing theSyntaxCheckedTargetHost
.Thanks,.
The text was updated successfully, but these errors were encountered: