[PATCH] Ntpd config file support
Bernhard Reutner-Fischer
rep.dot.nop at gmail.com
Sat Mar 22 22:31:54 UTC 2014
On 22 March 2014 21:27:51 Rich Felker <dalias at aerifal.cx> wrote:
> On Sat, Mar 22, 2014 at 08:59:28PM +0100, Ralf Friedl wrote:
> > Harald Becker wrote:
> > >Your program will fail on lines starting with the word server
> > >(eg. serverxyz), that is it does not check for clear word
> > >boundary and gives wrong results in that case.
> > The program will not fail for serverxyz, it will add a server "xyz".
> > This may be a bug or a feature :-)
> > >>while (cbuf[i] > 35) i++;
> > >Unwise to do this in a not poor ASCII environment, as most
> > >systems are nowadays. This way you allow unprintable and any
> > >kind of illegal characters in time server addresses.
> > What is special about 35? Why is ' fine while " is not?
> > Of course the configuration comes from someone who already has root
> > access, so whatever happens here to an invalid input can't be worse
> > than "rm -rf /".
>
> Not necessarily. The ntp.conf file might be populated by some kind of
> autoconfig sysem (does DHCP have a way of offering suggested ntp
> servers?) which could in turn have malicious content injected. Whose
> responsibility it is to avoid this is an open question, but I think
> it's harmful to add a sloppy parser to busybox. If there's going to be
> a config parser it should attempt to be safe and correct.
We already have one, see parse_config / config_parse (forgot which one)..
>
> Rich
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
Sent with AquaMail for Android
http://www.aqua-mail.com
More information about the busybox
mailing list