[_6vnx]

Fun story about one of the devices mentioned there that I worked on. We used to store the saved wifi creds in a file named exactly what the SSID was.

Some user managed to break things, and with their permission we gathered detailed wifi logs and found they were connected to an SSID that was an ASCII depiction of the equation: [redacted] plus [redacted] equals [redacted]. The issue was the forward slashes, presumably there to add [redacted]. Must have been an awkward customer service follow up when we told them to change their SSID while they waited for an update.

[SCHiM]

Sounds like a directory traversal to me :)

It's generally a bad idea to have the user in control of filenames you create if those files are not on a device they own.

[thaumasiotes]

In this case, it sounds like the files were on a device owned by the user?

[account42]

The user in control here is the one configuring the SSID, which is not necessarily the same one owning the device used to connect to it.

[gimboland]

I guess SCHiM means "own" as in "have administrative control over".

[GekkePrutser]

Really they should have fixed the software instead of telling the user to change it. It's a perfectly valid SSID.

And really, using raw environment-derived data directly on the filesystem?? What if the SSID had been "/etc/passwd" or something similar and it wrote to that?

[_6vnx]

We just told them to change it until we could ship an update that fixed it. We agreed that it was a perfectly valid SSID.

[detaro]

Always base64 data you do that kind of thing with!

[GekkePrutser]

Yeah and definitely never use user-derived data directly in your filesystem.