[Bug 3979] New: udhcpc should filter out malicious hostnames passed in option 0x0c

bugzilla at busybox.net bugzilla at busybox.net
Fri Jul 15 10:04:16 UTC 2011


https://bugs.busybox.net/show_bug.cgi?id=3979

           Summary: udhcpc should filter out malicious hostnames passed in
                    option 0x0c
           Product: Busybox
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: Other
        AssignedTo: unassigned at busybox.net
        ReportedBy: vda.linux at googlemail.com
                CC: busybox-cvs at busybox.net
   Estimated Hours: 0.0


In particular, control chars, high-bit-set chars and, ', `, $ may be used to do
nasty things.

The official rule is:

"The characters allowed in a label [DNS component] are a-z, A-Z, 0-9, and the
hyphen. Labels may not start or end with a hyphen."

See similar fix: https://bugzilla.redhat.com/show_bug.cgi?id=689832

-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the busybox-cvs mailing list