[ossec-dev] [Bug 87] New: os_regex_maps hostname_map errors

[ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxx]

http://www.ossec.net/bugs/show_bug.cgi?id=87

           Summary: os_regex_maps hostname_map errors
           Product: OSSEC
           Version: 1.4
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: ossec core
        AssignedTo: ossec-dev@xxxxxxxxx
        ReportedBy: t@xxxxxxxx


Sun's compiler throws errors when parsing the hostname_map array in
os_regex/os_regex_maps.h. For elements greater than octal 127 (\200+),
compilation fails with a message like "line 33: warning: initializer does not
fit or is out of range: -128". The compiler doesn't complain if hostname_map
elements are specified as hex or decimal; One solution could simply be to state
"OSSEC only supports the gcc compiler", but I think this bit of code should be
made cleaner.

According to the documented code, the hostname charmap is a list of available
characters: "a-z, A-Z, 0-9, -, _, ., @". This is sort of misleading, because
isValidChar doesn't verify that that the input contains only valid characters;
it instead checks the input for undesired characters. From a security
standpoint, my personal opinion is that ossec should verify input contains only
the desired characters, and not look for characters you don't want. In other
words: instead of "deny the undesired, allow everything else", "allow the
desired, deny everything else."

Following this method, the set of items would be smaller, and the missing items
would be more apparent (as would the 68 extra entries of \001). If the list of
desired characters is correct, these additional characters are mistakenly
allowed:
    0x28 (
    0x29 )
    0x2F /
    0xF8 through 0xFF - accented characters


-- 
Configure bugmail: http://www.ossec.net/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.