security October 2014

security@lists.fedoraproject.org

10 participants
15 discussions

Start a nNew thread

defensive-coding update for F21
by Nikos Mavrogiannopoulos 13 Nov '14

13 Nov '14

2 3

Fedora security vs Debian
by max.lulu.07＠t-online.de 12 Nov '14

12 Nov '14

Hello, I'm using the Fedora distro for my desktop since a while. But now I want to setup a web server. For me it doesn’t make much sense to setup Fedora as a productive server system because this would need too much attention for all the updates (that’s a point I really love for the desktop!). Another thing that is very cool (or the main reason why I’ve chosen Fedora as my primary system) is it’s great focus on security (let’s think of the implementation of SELinux). Now my question is: How is the Debian security compared to the security of Fedora? They don’t have SELinux, ok. The reason why I want to use Debian is, because a RHEL subscription is too expensive for a home server and the CentOS project… Well sometimes (not in general) they are a bit slow in providing security updates. So is Debian as secure as Fedora? Thanks for all upcoming replies! Max ---------------------------------------------------------------- Mit einer kostenlosen E-Mail-Adresse @t-online.de werden Ihre Daten verschlüsselt übertragen und in Deutschland gespeichert. www.t-online.de/email-kostenlos

4 3

Anything like security-announces on Fedora?
by Richard Z 29 Oct '14

29 Oct '14

Hi, noticed https://fedoraproject.org/wiki/SecurityBasics which is 2 clicks from the landing page and could use some updates. Do we have an kind of security announcements list which could be recommended there? Richard --- Name and OpenPGP keys available from pgp key servers

5 10

TLS scan results for October 2014
by Hubert Kario 25 Oct '14

25 Oct '14

Big changes mostly caused by Cloudflare's Universal SSL and aftermatch of POODLE. Detailed analysys on my blog: http://securitypitfalls.wordpress.com/2014/10/25/october-2014-results-big-c… SSL/TLS survey of 435987 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 377229 86.523 3DES Only 168 0.0385 AES 409388 93.8991 AES Only 2002 0.4592 AES-CBC Only 877 0.2012 AES-GCM 210554 48.2936 AES-GCM Only 17 0.0039 CAMELLIA 171200 39.2672 CHACHA20 14611 3.3512 Insecure 88343 20.2628 RC4 375776 86.1897 RC4 Only 3595 0.8246 RC4 Preferred 67695 15.5268 RC4 forced in TLS1.1+ 47943 10.9964 x:FF 29 RC4 Only 5814 1.3335 x:FF 29 RC4 Preferred 79458 18.2249 x:FF 29 incompatible 164 0.0376 y:DHE-RSA-SEED-SHA 80620 18.4914 y:IDEA-CBC-MD5 3756 0.8615 y:IDEA-CBC-SHA 67532 15.4895 y:SEED-SHA 86784 19.9052 z:ADH-AES128-GCM-SHA256 338 0.0775 z:ADH-AES128-SHA 1197 0.2745 z:ADH-AES128-SHA256 317 0.0727 z:ADH-AES256-GCM-SHA384 338 0.0775 z:ADH-AES256-SHA 1202 0.2757 z:ADH-AES256-SHA256 317 0.0727 z:ADH-CAMELLIA128-SHA 559 0.1282 z:ADH-CAMELLIA256-SHA 567 0.13 z:ADH-DES-CBC-SHA 530 0.1216 z:ADH-DES-CBC3-SHA 1250 0.2867 z:ADH-RC4-MD5 1059 0.2429 z:ADH-SEED-SHA 393 0.0901 z:AECDH-AES128-SHA 14245 3.2673 z:AECDH-AES256-SHA 14255 3.2696 z:AECDH-DES-CBC3-SHA 14216 3.2606 z:AECDH-NULL-SHA 30 0.0069 z:AECDH-RC4-SHA 13277 3.0453 z:DES-CBC-MD5 24072 5.5213 z:DES-CBC-SHA 66848 15.3326 z:ECDHE-RSA-NULL-SHA 36 0.0083 z:EDH-RSA-DES-CBC-SHA 58599 13.4405 z:EXP-ADH-DES-CBC-SHA 435 0.0998 z:EXP-ADH-RC4-MD5 438 0.1005 z:EXP-DES-CBC-SHA 52036 11.9352 z:EXP-EDH-RSA-DES-CBC-SHA 40390 9.264 z:EXP-RC2-CBC-MD5 56308 12.9151 z:NULL-MD5 359 0.0823 z:NULL-SHA 361 0.0828 z:NULL-SHA256 19 0.0044 z:RC2-CBC-MD5 28014 6.4254 Cipher ordering Count Percent -------------------------+---------+------- Client side 170342 39.0704 Server side 265645 60.9296 FF 29 selected ciphers Count Percent -----------------------------+---------+------ AES128-SHA 41722 9.5696 AES256-SHA 25362 5.8171 CAMELLIA128-SHA 132 0.0303 CAMELLIA256-SHA 45 0.0103 DES-CBC3-SHA 1046 0.2399 DHE-RSA-AES128-SHA 98725 22.644 DHE-RSA-AES256-SHA 14490 3.3235 DHE-RSA-CAMELLIA128-SHA 34 0.0078 DHE-RSA-CAMELLIA256-SHA 540 0.1239 ECDHE-ECDSA-AES128-GCM-SHA256 28993 6.65 ECDHE-ECDSA-AES128-SHA 33 0.0076 ECDHE-ECDSA-AES256-SHA 1 0.0002 ECDHE-RSA-AES128-GCM-SHA256 115469 26.4845 ECDHE-RSA-AES128-SHA 3024 0.6936 ECDHE-RSA-AES256-SHA 26483 6.0743 ECDHE-RSA-DES-CBC3-SHA 41 0.0094 ECDHE-RSA-RC4-SHA 22083 5.0651 EDH-RSA-DES-CBC3-SHA 234 0.0537 RC4-MD5 14117 3.2379 RC4-SHA 43249 9.9198 x:DHE 114023 26.1528 x:ECDHE 196127 44.9846 x:kRSA 125673 28.8249 Supported Handshakes Count Percent -------------------------+---------+------- ADH 1316 0.3018 AECDH 14284 3.2762 DHE 211473 48.5044 ECDHE 234954 53.8901 ECDHE and DHE 88609 20.3238 RSA 418706 96.0363 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 191816 43.9958 90.7047 DH,1536bits 1 0.0002 0.0005 DH,2048bits 17701 4.06 8.3703 DH,2226bits 1 0.0002 0.0005 DH,2236bits 2 0.0005 0.0009 DH,2430bits 1 0.0002 0.0005 DH,3072bits 9 0.0021 0.0043 DH,3247bits 1 0.0002 0.0005 DH,3248bits 2 0.0005 0.0009 DH,4096bits 1006 0.2307 0.4757 DH,512bits 40546 9.2998 19.1731 DH,768bits 779 0.1787 0.3684 DH,8192bits 1 0.0002 0.0005 ECDH,B-163,163bits 15 0.0034 0.0064 ECDH,B-571,570bits 456 0.1046 0.1941 ECDH,P-224,224bits 6 0.0014 0.0026 ECDH,P-256,256bits 233089 53.4624 99.2062 ECDH,P-384,384bits 675 0.1548 0.2873 ECDH,P-521,521bits 1259 0.2888 0.5358 Prefer DH,1024bits 111225 25.5111 52.5954 Prefer DH,1536bits 1 0.0002 0.0005 Prefer DH,2048bits 1875 0.4301 0.8866 Prefer DH,2236bits 1 0.0002 0.0005 Prefer DH,3072bits 1 0.0002 0.0005 Prefer DH,4096bits 61 0.014 0.0288 Prefer DH,512bits 6 0.0014 0.0028 Prefer DH,768bits 443 0.1016 0.2095 Prefer ECDH,B-163,163bits 15 0.0034 0.0064 Prefer ECDH,B-571,570bits 357 0.0819 0.1519 Prefer ECDH,P-224,224bits 4 0.0009 0.0017 Prefer ECDH,P-256,256bits 183233 42.0272 77.9868 Prefer ECDH,P-384,384bits 616 0.1413 0.2622 Prefer ECDH,P-521,521bits 1191 0.2732 0.5069 Prefer PFS 299029 68.5867 0 Support PFS 357818 82.0708 0 TLS session ticket hint Count Percent -------------------------+---------+-------- 3 2 0.0005 3 only 2 0.0005 5 1 0.0002 5 only 1 0.0002 10 1 0.0002 10 only 1 0.0002 30 10 0.0023 30 only 3 0.0007 60 57 0.0131 60 only 50 0.0115 64 1 0.0002 100 17 0.0039 100 only 17 0.0039 120 14 0.0032 120 only 14 0.0032 128 2 0.0005 128 only 2 0.0005 180 27 0.0062 180 only 27 0.0062 240 3 0.0007 240 only 3 0.0007 300 168875 38.734 300 only 151039 34.643 360 1 0.0002 360 only 1 0.0002 400 1 0.0002 400 only 1 0.0002 420 22 0.005 420 only 13 0.003 480 10 0.0023 480 only 10 0.0023 600 9358 2.1464 600 only 9103 2.0879 900 289 0.0663 900 only 266 0.061 960 2 0.0005 960 only 2 0.0005 1000 1 0.0002 1000 only 1 0.0002 1200 64 0.0147 1200 only 61 0.014 1500 9 0.0021 1500 only 8 0.0018 1800 211 0.0484 1800 only 204 0.0468 2100 1 0.0002 2100 only 1 0.0002 2400 1 0.0002 2400 only 1 0.0002 2700 5 0.0011 2700 only 5 0.0011 3000 11 0.0025 3000 only 11 0.0025 3600 296 0.0679 3600 only 281 0.0645 5400 2 0.0005 7200 11402 2.6152 7200 only 8697 1.9948 10800 15 0.0034 10800 only 8 0.0018 14400 929 0.2131 14400 only 927 0.2126 21600 723 0.1658 21600 only 722 0.1656 28800 8 0.0018 28800 only 8 0.0018 36000 409 0.0938 36000 only 408 0.0936 43200 5170 1.1858 43200 only 5170 1.1858 64800 37708 8.6489 64800 only 33313 7.6408 72000 8 0.0018 72000 only 8 0.0018 86000 27 0.0062 86000 only 23 0.0053 86400 168 0.0385 86400 only 167 0.0383 100800 14357 3.293 100800 only 17 0.0039 115200 1 0.0002 115200 only 1 0.0002 129600 11 0.0025 129600 only 11 0.0025 604800 1 0.0002 604800 only 1 0.0002 864000 4 0.0009 864000 only 4 0.0009 None 225373 51.6926 None only 185753 42.6052 Certificate sig alg Count Percent -------------------------+---------+-------- None 15401 3.5324 ecdsa-with-SHA256 20950 4.8052 sha1WithRSAEncryption 330148 75.7243 sha256WithRSAEncryption 89341 20.4917 sha512WithRSAEncryption 1 0.0002 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 256 29029 6.6582 ECDSA 384 2 0.0005 ECDSA 521 1 0.0002 RSA 1024 1672 0.3835 RSA 2028 1 0.0002 RSA 2047 2 0.0005 RSA 2048 403610 92.5739 RSA 2049 1 0.0002 RSA 2056 5 0.0011 RSA 2058 2 0.0005 RSA 2064 1 0.0002 RSA 2080 2 0.0005 RSA 2084 8 0.0018 RSA 2345 1 0.0002 RSA 2408 2 0.0005 RSA 2432 11 0.0025 RSA 2536 1 0.0002 RSA 3050 1 0.0002 RSA 3072 61 0.014 RSA 3096 1 0.0002 RSA 3248 3 0.0007 RSA 3600 1 0.0002 RSA 4046 2 0.0005 RSA 4048 2 0.0005 RSA 4056 4 0.0009 RSA 4069 1 0.0002 RSA 4086 2 0.0005 RSA 4092 4 0.0009 RSA 4096 14038 3.2198 RSA 4098 2 0.0005 RSA 4192 1 0.0002 RSA 8192 5 0.0011 RSA/ECDSA Dual Stack 12472 2.8606 OCSP stapling Count Percent -------------------------+---------+-------- Supported 60520 13.8811 Unsupported 375467 86.1189 Supported Protocols Count Percent -------------------------+---------+------- SSL2 44800 10.2755 SSL2 Only 5536 1.2698 SSL3 302890 69.4723 SSL3 Only 2971 0.6814 SSL3 or TLS1 Only 109447 25.1033 TLS1 426128 97.7387 TLS1 Only 22838 5.2382 TLS1.1 270662 62.0803 TLS1.1 Only 25 0.0057 TLS1.1 or up Only 610 0.1399 TLS1.2 279090 64.0134 TLS1.2 Only 441 0.1011 TLS1.2, 1.0 but not 1.1 12266 2.8134 Statistics from 484280 chains provided by 627529 hosts Server provided chains Count Percent -------------------------+---------+------- complete 403421 64.2872 incomplete 30809 4.9096 untrusted 193299 30.8032 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 2084 0.4303 3 460867 95.1654 4 21301 4.3985 5 28 0.0058 CA key size in chains Count -------------------------+--------- ECDSA 256 20950 ECDSA 384 20950 RSA 1024 1362 RSA 2045 1 RSA 2048 915053 RSA 4096 29517 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 20950 4.326 ECDSA 384 20950 4.326 RSA 1024 1357 0.2802 RSA 2045 1 0.0002 RSA 2048 461970 95.3932 RSA 4096 29113 6.0116 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 20950 sha1WithRSAEncryption 377133 sha256WithRSAEncryption 68752 sha384WithRSAEncryption 36708 sha512WithRSAEncryption 10 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 377698 77.9917 112 85631 17.6821 128 20951 4.3262 Common Root CAs Count Percent ---------------------------------------------+---------+------- (2c543cd1) GeoTrust Global CA 118634 24.497 (157753a5) AddTrust External CA Root 75645 15.6201 (5ad8a5d6) GlobalSign Root CA 56056 11.5751 (cbf06781) Go Daddy Root Certificate Authorit 34301 7.0829 (2e4eed3c) thawte Primary Root CA 27922 5.7657 (b204d74a) VeriSign Class 3 Public Primary Ce 27262 5.6294 (244b5494) DigiCert High Assurance EV Root CA 23640 4.8815 (eed8c118) COMODO ECC Certification Authority 20947 4.3254 (f081611a) The Go Daddy Group, Inc. 21077 4.3522 (b13cc6df) UTN-USERFirst-Hardware 13019 2.6883 (653b494a) Baltimore CyberTrust Root 11115 2.2952 (40547a79) COMODO Certification Authority 10071 2.0796 (ae8153b9) StartCom Certification Authority 8762 1.8093 (f387163d) Starfield Technologies, Inc. 8273 1.7083 The scan was performed between 13th and 24th of October 2014. -- Regards, Hubert Kario

1 0

changes for F21 in securing-tls
by Nikos Mavrogiannopoulos 13 Oct '14

13 Oct '14

This patch updates the text to account for: http://fedoraproject.org/wiki/Changes/CryptoPolicy

1 0

[Secure Coding] master: Update revision history in preparation of publication (0ef43f9)
by fweimer＠fedoraproject.org 13 Oct '14

13 Oct '14

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit 0ef43f912113fd6cccc4b5d7b19066d83ce2aee6 Author: Florian Weimer <fweimer(a)redhat.com> Date: Mon Oct 13 09:54:53 2014 +0200 Update revision history in preparation of publication >--------------------------------------------------------------- defensive-coding/en-US/Revision_History.xml | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) diff --git a/defensive-coding/en-US/Revision_History.xml b/defensive-coding/en-US/Revision_History.xml index f0f0c78..e2dfe12 100644 --- a/defensive-coding/en-US/Revision_History.xml +++ b/defensive-coding/en-US/Revision_History.xml @@ -8,6 +8,21 @@ <simpara> <revhistory> <revision> + <revnumber>1.3-1</revnumber> + <date>Mon Oct 13 2014</date> + <author> + <firstname>Florian</firstname> + <surname>Weimer</surname> + <email>fweimer(a)redhat.com</email> + </author> + <revdescription> + <simplelist> + <member>Go: Mention default value handling in deserialization</member> + <member>Shell: New chapter</member> + </simplelist> + </revdescription> + </revision> + <revision> <revnumber>1.2-1</revnumber> <date>Wed Jul 16 2014</date> <author>

1 0

[Secure Coding] master: Shell: Use a snippet for the input validation example (0c1d3d4)
by fweimer＠fedoraproject.org 13 Oct '14

13 Oct '14

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit 0c1d3d46838c1427d17cadabf4000444bb614046 Author: Florian Weimer <fweimer(a)redhat.com> Date: Mon Oct 13 09:51:42 2014 +0200 Shell: Use a snippet for the input validation example Add self-tests to the snippet code. Mention that this construct is bash-specific. Fixes the broken regular expression spotted by Eric Blake. >--------------------------------------------------------------- defensive-coding/en-US/Shell.xml | 27 ++++++------- ...ons-snprintf.xml => Shell-Input_Validation.xml} | 10 +++- defensive-coding/src/Shell-Input_Validation.sh | 41 ++++++++++++++++++++ 3 files changed, 61 insertions(+), 17 deletions(-) diff --git a/defensive-coding/en-US/Shell.xml b/defensive-coding/en-US/Shell.xml index f889dc1..d6a9465 100644 --- a/defensive-coding/en-US/Shell.xml +++ b/defensive-coding/en-US/Shell.xml @@ -398,23 +398,22 @@ trap cleanup 0 linkend="sect-Defensive_Coding-Shell-Arithmetic"/>. </para> <para> - The following construct can be used to check if a string - “<literal>$value</literal>” is an integer. + <xref linkend="ex-Defensive_Coding-Shell-Input_Validation"/> + shows a construct which can be used to check if a string + “<literal>$value</literal>” is an integer. This construct is + specific to <application>bash</application> and not portable to + POSIX shells. </para> - <informalexample> - <programlisting language="Bash"> -if [[ $value =~ ^-?[0-9]$ ]] ; then - echo value is an integer -else - echo "value is not an integer" 1>&2 - exit 1 -fi - </programlisting> - </informalexample> + <example id="ex-Defensive_Coding-Shell-Input_Validation"> + <title>Input validation in <application>bash</application></title> + <xi:include href="snippets/Shell-Input_Validation.xml" + xmlns:xi="http://www.w3.org/2001/XInclude" /> + </example> <para> Using <literal>case</literal> statements for input validation is - also possible, but the pattern language is more restrictive, and - it can be difficult to write suitable patterns. + also possible and supported by other (POSIX) shells, but the + pattern language is more restrictive, and it can be difficult to + write suitable patterns. </para> <para> The <literal>expr</literal> external command can give misleading diff --git a/defensive-coding/en-US/snippets/C-String-Functions-snprintf.xml b/defensive-coding/en-US/snippets/Shell-Input_Validation.xml similarity index 60% copy from defensive-coding/en-US/snippets/C-String-Functions-snprintf.xml copy to defensive-coding/en-US/snippets/Shell-Input_Validation.xml index dc790d8..61cb7d1 100644 --- a/defensive-coding/en-US/snippets/C-String-Functions-snprintf.xml +++ b/defensive-coding/en-US/snippets/Shell-Input_Validation.xml @@ -2,7 +2,11 @@ <!DOCTYPE programlisting PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ ]>  -<programlisting language="C"> -char fraction[30]; -snprintf(fraction, sizeof(fraction), "%d/%d", numerator, denominator); +<programlisting language="Bash"> +if [[ $value =~ ^-?[0-9]+$ ]] ; then + echo value is an integer +else + echo "value is not an integer" 1>&2 + exit 1 +fi </programlisting> diff --git a/defensive-coding/src/Shell-Input_Validation.sh b/defensive-coding/src/Shell-Input_Validation.sh new file mode 100644 index 0000000..2b86a49 --- /dev/null +++ b/defensive-coding/src/Shell-Input_Validation.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +validate () { + local value="$1" + #+ Shell Input_Validation + if [[ $value =~ ^-?[0-9]+$ ]] ; then + echo value is an integer + else + echo "value is not an integer" 1>&2 + exit 1 + fi + #- +} + +check_validate () { + local value="$1" + local expected="$2" + ( + validate "$value" + ) >/dev/null 2>/dev/null + result="$?" + if ! test "$result" -eq "$expected" ; then + echo "failure: validate \"$value\" $expected -> got $result" + fi +} + +check_validate "" 1 +check_validate "0" 0 +check_validate "9" 0 +check_validate "-0" 0 +check_validate "-9" 0 +check_validate "10" 0 +check_validate "19" 0 +check_validate "-10" 0 +check_validate "-19" 0 +check_validate " 0" 1 +check_validate "--1" 1 +check_validate "1-" 1 +check_validate "1 || 0" 1 +check_validate '1$(kill -9 $PPID)' 1 +check_validate '2$(id)' 1

1 0

[Secure Coding] master: Add support for shell snippets (0026cc0)
by fweimer＠fedoraproject.org 13 Oct '14

13 Oct '14

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit 0026cc05cf2568357e2d8d91aa8da1f1e4b84bfa Author: Florian Weimer <fweimer(a)redhat.com> Date: Mon Oct 13 09:49:48 2014 +0200 Add support for shell snippets >--------------------------------------------------------------- defensive-coding/Makefile | 2 +- defensive-coding/scripts/split-snippets.py | 1 + 2 files changed, 2 insertions(+), 1 deletions(-) diff --git a/defensive-coding/Makefile b/defensive-coding/Makefile index 2090dad..f57f808 100644 --- a/defensive-coding/Makefile +++ b/defensive-coding/Makefile @@ -9,7 +9,7 @@ build: build-src build-manual build-snippets: mkdir -p en-US/snippets python scripts/split-snippets.py . \ - src/*.c src/*.cpp src/*.java src/*.py src/*.go + src/*.c src/*.cpp src/*.java src/*.py src/*.go src/*.sh build-manual: build-snippets publican build --formats=html,epub,pdf --langs=en-US diff --git a/defensive-coding/scripts/split-snippets.py b/defensive-coding/scripts/split-snippets.py index 7244ced..6f87b6e 100644 --- a/defensive-coding/scripts/split-snippets.py +++ b/defensive-coding/scripts/split-snippets.py @@ -34,6 +34,7 @@ def extension_to_language(path, map={ 'c' : 'C', 'py' : 'Python', 'java' : 'Java', + 'sh' : 'Bash', }): return map.get(path.split('.')[-1], 'C')

1 0

[Secure Coding] master: Shell: Fix internal reference (b7ec6fc)
by fweimer＠fedoraproject.org 13 Oct '14

13 Oct '14

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit b7ec6fc7882d999c57ce47fc0b667c2c96647c7c Author: Florian Weimer <fweimer(a)redhat.com> Date: Mon Oct 13 09:34:16 2014 +0200 Shell: Fix internal reference Spotted by Kamil Dudka. Also use "double expansion" consistently. >--------------------------------------------------------------- defensive-coding/en-US/Shell.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/defensive-coding/en-US/Shell.xml b/defensive-coding/en-US/Shell.xml index 042ac61..f889dc1 100644 --- a/defensive-coding/en-US/Shell.xml +++ b/defensive-coding/en-US/Shell.xml @@ -93,7 +93,7 @@ external-program "$arg1" "$arg2" shell scripts difficult. </para> <para> - Double evaluation can be requested explicitly with the + Double expansion can be requested explicitly with the <literal>eval</literal> built-in command, or by invoking a subshell with “<literal>bash -c</literal>”. These constructs should not be used. @@ -108,8 +108,8 @@ external-program "$arg1" "$arg2" <emphasis>Arithmetic evaluation</emphasis> is a process by which the shell computes the integer value of an expression specified as a string. It is highly problematic for two reasons: It - triggers double evaluation (see <xref - linkend="sect-Defensive_Coding-Shell-Arithmetic"/>), and the + triggers double expansion (see <xref + linkend="sect-Defensive_Coding-Shell-Double_Expansion"/>), and the language of arithmetic expressions is not self-contained. Some constructs in arithmetic expressions (notably array subscripts) provide a trapdoor from the restricted language of arithmetic

1 0

[Secure Coding] master: Shell: Update section on input validation (e23c383)
by fweimer＠fedoraproject.org 10 Oct '14

10 Oct '14

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit e23c38377538e4c9f0311347b6fc15b8c1dddd37 Author: Florian Weimer <fweimer(a)redhat.com> Date: Fri Oct 10 16:44:53 2014 +0200 Shell: Update section on input validation Also mention safety of [[ $var =~ regexp ]]. >--------------------------------------------------------------- defensive-coding/en-US/Shell.xml | 36 +++++++++++++++++++++--------------- 1 files changed, 21 insertions(+), 15 deletions(-) diff --git a/defensive-coding/en-US/Shell.xml b/defensive-coding/en-US/Shell.xml index 24554b1..042ac61 100644 --- a/defensive-coding/en-US/Shell.xml +++ b/defensive-coding/en-US/Shell.xml @@ -162,6 +162,14 @@ external-program "$arg1" "$arg2" evaluation, even with integer operators such as <literal>-eq</literal>.) </para> + <para> + The conditional expression + “<literal>[[ $</literal><emphasis>variable</emphasis><literal> =~ </literal><emphasis>regexp</emphasis><literal> ]]</literal>” + can be used for input validation, assuming that + <emphasis>regexp</emphasis> is a constant regular + expression. + See <xref linkend="sect-Defensive_Coding-Shell-Input_Validation"/>. + </para> </listitem> <listitem> <para> @@ -391,29 +399,27 @@ trap cleanup 0 </para> <para> The following construct can be used to check if a string - “<literal>$value</literal>” is not a non-negative integer. + “<literal>$value</literal>” is an integer. </para> <informalexample> <programlisting language="Bash"> -case "$value" in - *[!0-9]*) - echo "invalid input value" 1>&2 - exit 1 - ;; -esac +if [[ $value =~ ^-?[0-9]$ ]] ; then + echo value is an integer +else + echo "value is not an integer" 1>&2 + exit 1 +fi </programlisting> </informalexample> <para> - The pattern “<literal>*[!0-9]*</literal>” is not special shell - syntax—it matches any string which contains arbitrary characters, - followed by a non-digit, followed by arbitrary characters. + Using <literal>case</literal> statements for input validation is + also possible, but the pattern language is more restrictive, and + it can be difficult to write suitable patterns. </para> <para> - Using <literal>case</literal> statements is the most reliable way - for performing input validation, although constructing proper - patterns is difficult. The <literal>expr</literal> external - command and the built-in operator <literal>=~</literal> can give - misleading results. + The <literal>expr</literal> external command can give misleading + results (e.g., if the value being checked contains operators + itself) and should not be used. </para> </section> <section id="sect-Defensive_Coding-Shell-Edit_Guard">

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security October 2014