Red Hat Bugzilla – Bug 1282016
inotifywait does not accept NULL as field separator when using the --format option
Last modified: 2017-01-01 19:14:26 EST
Description of problem:
inotifywait does not accept NULL as field separator when using the --format option. This means that specially crafted, malicious filenames (for example, filename with newline char) can be used to hijack 3d party code relying on inotifywait.
For example, think about a replication services that use inotifywait to know what events/files to replicate on a remote server. Using a malicious filename with an embedded newline and deleting it, the remote server will replicate a wrong (and potentially very dangerous) delete event.
See here for more details: https://github.com/rvoicilas/inotify-tools/issues/20
Version-Release number of selected component (if applicable):
embed a newline in a monitored filename
Steps to Reproduce:
1. create a file with a newline embedded in its name (eg: touch '/tmp/test
2. use inotifywait to monitor a directory (eg: inotifywait -m -r /tmp)
3. delete the file
4. the resulting inotify event will be split in two different row
the resulting inotify event will be split in two different row, exposing wrong events/filename to application reading from inotifywait (eg: using a pipe)
using a NULL char as field separator, inotifywait will be invulnerable to malicious filename (as NULL is an invalid char for filenames in about all filesystems)