tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection

On Tue, 26 Apr 2011, NetBSD Security Officer wrote:

> new_host_name="$(echo "${new_host_name}" | sed -e 's/[^a-zA-Z0-9-]*//g')"
> The reason to do this, is that unless the hostname is sanitized,
> a hostname with shell metacharacters can be set on the system, and
> other scripts might break that use the compromised hostname.

Unrelated to DHCP, should we consider making it so the hostname(1) tool, 
sethostname(3), and/or sysctl kern.hostname do not accept junk?

I was quite surprised what I could set as my hostname when I looked at 
this a couple week ago.

When is it okay for hostname to contain strange characters? (Any odd but 
real working examples to share?)

Home | Main Index | Thread Index | Old Index