In message <4.3.2.7.2.20010625093714.02218ef0at_private>, Alun Jones writes: >At 03:08 AM 6/19/2001, you wrote: >>2.) Connect to the server with anonymous and type cd con/con (yes, this is >>well know and works with MANY other too, but we think it should be >>filtered). > >While filtering such a command line may be a worthy suggestion, and is >certainly implemented in our own software, it is far from a perfect (or >even appropriate) solution. [but many possible combinations, and non >standard device names] > >There is no system call (that I could find after several days of searching) >that will enumerate the available DDNs, QueryDosDevice() will return a list of devices. But it's not terribly helpful because (a) it only works on Windows NT/2000 (and a little bit under Windows 95/98/ME, but not very reliably, giving many false positives and false negatives), and (b) there are many varitions on device names that are accepted, but will not appear in the list of devices returned (presumably this is a bounded list, but I couldn't find it documented, and gave up trying to enumerate it). >The only option available to developers is to filter on as many >known DDNs as possible, and allow the user to extend that filter as and >when necessary. This, of course, requires a substantially educated user, >which is almost always the weakest possible means of securing a system. What I ended up doing for Xitami (an open source program that iMatix maintains: http://www.xitami.com./) was using a different Windows system call: GetFileType(). You feed it a Windows file handle (from CreateFile()), and it tells you what type of thing the file handle points at (disk file, device, etc). This appears to work reliably on all versions of Windows, but it means you have to use CreateFile() to get your file handles (or open the file twice: we open the file twice, because we want unix-style file handles in the rest of the software). The solution isn't especially elegant. However when faced with a file hierachy where an arbitrary set of names in any directory are "booby trapped" (device names), and it's nearly imposible to determine this set in advance in any portable manner, and the end user has basically no control over the set of names that are special (cf unix device inodes where the user can choose where they appear in the directory hierachy), one is forced to resort to inelegant solutions. If you're curious to see the code we used, it is in the src/sfl/sflfile.c file, in the Xitami 2.4d9 and Xitami 2.5b5 source packages (available from the Xitami website above). This is what we developed after the Bugtraq device/device report we were faced with; our previous combination of QueryDosDevice() and "filter known combinations" clearly wasn't sufficient. Ewen -- Ewen McNeill, Technical Consultant, iMatix Corporation www.imatix.com
This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 15:37:12 PDT