[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [patch] Syscall auditing - move "name=" field to the end



On Thu, Mar 17, 2005 at 10:30:24AM -0800, Chris Wright wrote:
> We need to do something, as it is the data can't be trusted.  It's a way
> for user to possibly inject false audit messages.  And most characters
> are valid in pathnames.

We had this discussion a couple of weeks ago when we were talking about a
parseable format for audit records, but I think we didn't reach a
consensus back then.

I had proposed back then to use backslash escaping for newline, tab,
single quotes, and backslashes, and octal escapes for control characters
- that's fairly unobtrusive for normal filenames. You could add quotes to
the list of escaped characters if the strings are printed as quoted
strings.

-Klaus

void
print_escaped_string(FILE *out, const char *txt)
{
        for (;*txt;++txt) {
                switch(*txt) {
                case '\n':
                        putc('\\', out);
                        putc('n', out);
                        break;
                case '\t':
                        putc('\\', out);
                        putc('t', out);
                        break;
                case '\'':
                case '\\':
                        putc('\\', out);
                        putc(*txt, out);
                        break;
                default:
                        if (*txt<32) {
                                fprintf(out, "\\%03o", *txt);
                        } else {
                                putc(*txt, out);
                        }
                }
        }
}


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]