From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id A83D211DBE;
	Thu, 06 Nov 2025 10:15:13 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 23EAC11DB5; Thu, 06 Nov 2025 10:15:11 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fout-a7-smtp.messagingengine.com
 (fout-a7-smtp.messagingengine.com [103.168.172.150])
	by atuin.qyliss.net (Postfix) with ESMTPS id B5A3211DB4
	for <devel@spectrum-os.org>; Thu, 06 Nov 2025 10:15:09 +0000 (UTC)
Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44])
	by mailfout.phl.internal (Postfix) with ESMTP id 6D110EC03E5;
	Thu,  6 Nov 2025 05:15:08 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-04.internal (MEProxy); Thu, 06 Nov 2025 05:15:08 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm2; t=1762424108; x=1762510508; bh=ftbXQpjx16
	g9pOSyP799Tu+Ass3cVMt+/tlWzNRgg6g=; b=OVXjnu6E2rasdvjl5BNDmb0w7P
	Tp61gEiY4m7X3QUNrp/Nzw+y8bPDSA83/qrBINNzfmUPT4dIickV0RXwu2Wxd3Wd
	XWl5gjiJzvxsSvMaLFfSp/jpZy6TrD5+3PGS9PIZ+07MhuCIDhA2yEeSsmUz5W8k
	I0G1suhOXQc4x4emLjpcmJbWKoADu0bIhQhTUwnuYu96XNOtPV9xp0Kh5Ubf+Aho
	GcYBXGKRfJEzAq26T1GZpMbqrvUn6mti+zUIU0/V0dAj8HuBZNXRdsiiPdMqh4IS
	OQuXNYFsUAmLE4Pewb/yGW72zQ0ckwv3dWY2Zhind4QMEw4NGDPq6qlngXow==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=
	1762424108; x=1762510508; bh=ftbXQpjx16g9pOSyP799Tu+Ass3cVMt+/tl
	WzNRgg6g=; b=S4OtPPJ6Qp5dXI3sU1td0OPZr1vBq/7AGkynUlmCONCTjcCYAnl
	83PYm3H94AzLADpvKXGNBLv6VPVjK3fqTex3K7abQlCC+yLOySKHHNDBQNXOZgBB
	12/rG9HgYxfiD7wZPjw8ajBP4ZPyOjxS7Wu2KIsH210BE5Kx0EcCAGR/dI3CUPPx
	//zNOeqOGIQ20zkodO3/j9Q+v34UkLclKlnIWypQxGzaAQMw9crLbpI0Wr3QHuGc
	ogxCFLMV9/T5hjpyqDFB0juVo8YR9NptfmObmbQZvdxT/KOLPn6VClpeu/8D0anS
	DB5asjcejLIlISmwE5ti/EQXEV60D5Y+m3A==
X-ME-Sender: <xms:LHUMafYIxkfS3GmXLmEGhW__45yJ04IcRwJMrBfSVQi2_bfG0ofnkQ>
    <xme:LHUMaavB0dO45pGrKz16sH4Nzl0HI_sg4goQJL7udrfkXoSuwlwkGLN9C4OfepFYg
    6GnzoN1oPeMwapUiS3oWr5rUZn1xgoeFhQg_NuFRucE1SF2-tZqfQ>
X-ME-Received: 
 <xmr:LHUMaUsh8ob5SOs4fJ1smS9mNTB0KOISeHnuvoR6LTuZpVWH8Dnt4tFFYHVF2eAALCj23rdWvspHC7oiselfNBuw0CIh3rnxzUprcTb9>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddukeeihedvucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhephffvvefujghffffkgggtsehgtderredttdejnecuhfhrohhmpeetlhihshhsrgcu
    tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeihfejke
    dvveeiuedugedujeejlefgffdtleeukeffhfetvefhveetvdeiudeigfenucffohhmrghi
    nhephihouhhtuhdrsggvpdhgihhtlhgrsgdrtghomhenucevlhhushhtvghrufhiiigvpe
    dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghr
    tghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggvmhhiohgsvg
    hnohhurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsphgvtghtrhhu
    mhdqohhsrdhorhhg
X-ME-Proxy: <xmx:LHUMaXcuuZIQ1D0y9leH-Cclsxy7ImYhz7fBKmU_sB8ZOOnbgDQy5Q>
    <xmx:LHUMadaolBRx-H8idJU9iX7x3PFawCwh609wcJkEk0U8k42ty2do3g>
    <xmx:LHUMaSVwHrTOjZzpbX1s9B_BeKteU8nLgW8nZLRyROBcK35QZVjntQ>
    <xmx:LHUMaXh7mWvBrsv4AhkFVVP2uXQhUwGeL4nzOsynOKdWUHYt_LsKow>
    <xmx:LHUMadGvtlAuu2qKFr24b-9Msegv9igx6FdLlux4TaAGXkvMc4d2CjH3>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 6 Nov 2025 05:15:07 -0500 (EST)
Received: by mbp.qyliss.net (Postfix, from userid 1000)
	id 8112A673B3FB; Thu, 06 Nov 2025 11:15:06 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: Demi Marie Obenour <demiobenour@gmail.com>
Subject: Re: [PATCH 3/7] tools: Add directory checker for updates
In-Reply-To: <83e81178-97d8-4ed6-8c21-4f2517a407c2@gmail.com>
References: <20251029-updates-v1-0-401c1be2a11b@gmail.com>
 <20251029-updates-v1-3-401c1be2a11b@gmail.com> <87sef1kjbk.fsf@alyssa.is>
 <72921587-e951-4bfb-b68e-5cb05fc32609@gmail.com>
 <87bjlmq756.fsf@alyssa.is>
 <831ecec1-d782-4fab-a6d5-40eae0f9ad92@gmail.com>
 <87ms54pr0l.fsf@alyssa.is>
 <9296ee2d-8e8d-4579-b0f0-638d9e0583d8@gmail.com>
 <87h5v9rf6d.fsf@alyssa.is>
 <83e81178-97d8-4ed6-8c21-4f2517a407c2@gmail.com>
Date: Thu, 06 Nov 2025 11:15:04 +0100
Message-ID: <87ms4zxyaf.fsf@alyssa.is>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Message-ID-Hash: AE5TF7I6KMKF2SGSWS4YXWBJYVLPTK4U
X-Message-ID-Hash: AE5TF7I6KMKF2SGSWS4YXWBJYVLPTK4U
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Spectrum OS Development <devel@spectrum-os.org>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/AE5TF7I6KMKF2SGSWS4YXWBJYVLPTK4U/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 11/4/25 10:27, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>=20
>>> On 11/2/25 07:18, Alyssa Ross wrote:
>>>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>>>
>>>>> On 11/1/25 08:17, Alyssa Ross wrote:
>>>>>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>>>>>
>>>>>>> On 10/29/25 08:01, Alyssa Ross wrote:
>>>>>>>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>>>>>>>
>>>>>>>>> +		if (entry->d_name[0] =3D=3D '.')
>>>>>>>>> +			if (len =3D=3D 1 || (len =3D=3D 2 && entry->d_name[1] =3D=3D =
'.'))
>>>>>>>>> +				continue;
>>>>>>>>> +		if (strcmp(entry->d_name, "SHA256SUMS") =3D=3D 0) {
>>>>>>>>> +			found_sha256sums =3D true;
>>>>>>>>> +			continue;
>>>>>>>>> +		}
>>>>>>>>> +		if (strcmp(entry->d_name, "SHA256SUMS.gpg") =3D=3D 0) {
>>>>>>>>> +			found_sha256sums_gpg =3D true;
>>>>>>>>> +			continue;
>>>>>>>>> +		}
>>>>>>>>> +		unsigned char c =3D (unsigned char)entry->d_name[0];
>>>>>>>>> +		if (!((c >=3D 'A' && c <=3D 'Z') ||
>>>>>>>>> +		      (c >=3D 'a' && c <=3D 'z')))
>>>>>>>>> +			errx(1, "Filename must begin with an ASCII letter");
>>>>>>>>> +		for (size_t i =3D 1; i < len; ++i) {
>>>>>>>>> +			c =3D (unsigned char)entry->d_name[i];
>>>>>>>>> +			if (!((c >=3D 'A' && c <=3D 'Z') ||
>>>>>>>>> +			      (c >=3D 'a' && c <=3D 'z') ||
>>>>>>>>> +			      (c >=3D '0' && c <=3D '9') ||
>>>>>>>>> +			      (c =3D=3D '_') ||
>>>>>>>>> +			      (c =3D=3D '-') ||
>>>>>>>>> +			      (c =3D=3D '.'))) {
>>>>>>>>> +				if (c >=3D 0x20 && c <=3D 0x7E)
>>>>>>>>> +					errx(1, "Forbidden subsequent character in filename: '%c'",=
 (int)c);
>>>>>>>>> +				else
>>>>>>>>> +					errx(1, "Forbidden subsequent character in filename: byte %=
d", (int)c);
>>>>>>>>> +			}
>>>>>>>>> +		}
>>>>>>>>
>>>>>>>> Why do we care?  Surely we don't expect systemd-sysupdate to put
>>>>>>>> filenames unescaped into a shell or something.
>>>>>>>
>>>>>>> Prevent escape sequence injection into terminals and logs is the
>>>>>>> main reason.  Qubes OS has similar checks in some places, though th=
ey
>>>>>>> are off by default for file copying.
>>>>>>
>>>>>> Doing this in a tool that's only used by sysupdate is a very ad-hoc =
way
>>>>>> to protect against that.  I think if we want to protect against that
>>>>>> sort of thing it should be done in one place, probably in virtiofsd.
>>>>>
>>>>> I think sysupdate is more likely to log unsanitized data, especially
>>>>> as systemd-journald has no problems with it.
>>>>
>>>> What's the difference between systemd-journald's behaviour and the
>>>> logging we have?
>>>
>>> I'm not familiar with s6 at all, but I think it is at least worth
>>> investigating.  Also, all else equal it is best to reject invalid
>>> untrusted input as early as possible.
>>=20
>> As early as possible would be in virtiofsd, not ad-hoc for this one
>> service here.
>
> That=E2=80=99s actually an interesting idea, but I don=E2=80=99t know if =
it would
> be upstreamable.

I imagine this could fit with the work that's being done on pluggable
backends[1][2].

[1]: https://youtu.be/qsFc234tzz4?si=3DQw2b4MzerLWCX39J&t=3D239
[2]: https://gitlab.com/virtio-fs/virtiofsd/-/issues/147

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRV/neXydHjZma5XLJbRZGEIw/wogUCaQx1KAAKCRBbRZGEIw/w
omkzAQCbhzABoMbyJRDHqY2UsCpnb83FDsOv+SoZL9NLvFTPxgEA3Xa3JIBy5+NB
2YMMEHwfRPnrecTnQpt+TbVrDalnHw4=
=Ivd/
-----END PGP SIGNATURE-----
--=-=-=--