Demi Marie Obenour writes: > On 11/4/25 10:27, Alyssa Ross wrote: >> Demi Marie Obenour writes: >> >>> On 11/2/25 07:18, Alyssa Ross wrote: >>>> Demi Marie Obenour writes: >>>> >>>>> On 11/1/25 08:17, Alyssa Ross wrote: >>>>>> Demi Marie Obenour writes: >>>>>> >>>>>>> On 10/29/25 08:01, Alyssa Ross wrote: >>>>>>>> Demi Marie Obenour writes: >>>>>>>> >>>>>>>>> + if (entry->d_name[0] == '.') >>>>>>>>> + if (len == 1 || (len == 2 && entry->d_name[1] == '.')) >>>>>>>>> + continue; >>>>>>>>> + if (strcmp(entry->d_name, "SHA256SUMS") == 0) { >>>>>>>>> + found_sha256sums = true; >>>>>>>>> + continue; >>>>>>>>> + } >>>>>>>>> + if (strcmp(entry->d_name, "SHA256SUMS.gpg") == 0) { >>>>>>>>> + found_sha256sums_gpg = true; >>>>>>>>> + continue; >>>>>>>>> + } >>>>>>>>> + unsigned char c = (unsigned char)entry->d_name[0]; >>>>>>>>> + if (!((c >= 'A' && c <= 'Z') || >>>>>>>>> + (c >= 'a' && c <= 'z'))) >>>>>>>>> + errx(1, "Filename must begin with an ASCII letter"); >>>>>>>>> + for (size_t i = 1; i < len; ++i) { >>>>>>>>> + c = (unsigned char)entry->d_name[i]; >>>>>>>>> + if (!((c >= 'A' && c <= 'Z') || >>>>>>>>> + (c >= 'a' && c <= 'z') || >>>>>>>>> + (c >= '0' && c <= '9') || >>>>>>>>> + (c == '_') || >>>>>>>>> + (c == '-') || >>>>>>>>> + (c == '.'))) { >>>>>>>>> + if (c >= 0x20 && c <= 0x7E) >>>>>>>>> + errx(1, "Forbidden subsequent character in filename: '%c'", (int)c); >>>>>>>>> + else >>>>>>>>> + errx(1, "Forbidden subsequent character in filename: byte %d", (int)c); >>>>>>>>> + } >>>>>>>>> + } >>>>>>>> >>>>>>>> Why do we care? Surely we don't expect systemd-sysupdate to put >>>>>>>> filenames unescaped into a shell or something. >>>>>>> >>>>>>> Prevent escape sequence injection into terminals and logs is the >>>>>>> main reason. Qubes OS has similar checks in some places, though they >>>>>>> are off by default for file copying. >>>>>> >>>>>> Doing this in a tool that's only used by sysupdate is a very ad-hoc way >>>>>> to protect against that. I think if we want to protect against that >>>>>> sort of thing it should be done in one place, probably in virtiofsd. >>>>> >>>>> I think sysupdate is more likely to log unsanitized data, especially >>>>> as systemd-journald has no problems with it. >>>> >>>> What's the difference between systemd-journald's behaviour and the >>>> logging we have? >>> >>> I'm not familiar with s6 at all, but I think it is at least worth >>> investigating. Also, all else equal it is best to reject invalid >>> untrusted input as early as possible. >> >> As early as possible would be in virtiofsd, not ad-hoc for this one >> service here. > > That’s actually an interesting idea, but I don’t know if it would > be upstreamable. I imagine this could fit with the work that's being done on pluggable backends[1][2]. [1]: https://youtu.be/qsFc234tzz4?si=Qw2b4MzerLWCX39J&t=239 [2]: https://gitlab.com/virtio-fs/virtiofsd/-/issues/147