Challenge file name should not start with dash

rg305 · April 20, 2022, 9:33pm

So... 32 chars of 64 possibilities [64^32] compared to:
31 chars of 64 possibilities and one char of 63 possibilities [64^31*63]
just for the visual effect:

64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64
63*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64*64

for less visual effect:

(2^186)*64 = 6.27710174e57
(2^186)*63 = 6.17902202e57

Yes, a loss of over 1.5%... but, from a number so large that, does it really even matter?

rg305 · April 20, 2022, 9:39pm

The real problem comes in if the "-" creates a problem anywhere within base64 encoding.
If that is the case... then there is about a 50% chance that would happen and would significantly impact the entire process [a definite deal breaker].

So... does it create a problem anywhere else?

Osiris · April 21, 2022, 6:02am

It only creates a slight nuisance for very small amount of people if it starts with a dash.

9peppe · April 21, 2022, 7:03am

It only creates a nuisance for people that use echo with no quotes.

If you go full 1337 and answer the challenge with nc and a keyboard, or you stay on the beaten path with certbot, you'll never notice the hyphen.

Osiris · April 21, 2022, 7:05am

AFAIK quotes won't cut it, as mentioned earlier in this thread you need to "end" the parsing of dash-prefixed arguments to the command by using --. After -- you can enter all the options you want startiing with a dash, it won't get parsed as a "regular option" (e.g. -p).

9peppe · April 21, 2022, 7:13am

You mean

echo '-something'

won't work?

Zsh doesn't complain:

% echo '-something'
-something
% echo "-something"
-something
%

Neither do dash and sh (I don't know what that is here)

% dash
$ echo '-something'
-something
$ echo "-something"
-something
$
% sh
$ echo '-something'
-something
$ echo "-something"
-something
$

Osiris · April 21, 2022, 7:17am

Hm, quotes seem to work sometimes, like echo in your example (below it's not actually part of the demonstration). But.. Try the following:

osiris@erazer tmp $ echo "foo" > '-bar'
osiris@erazer tmp $ ls
-bar
osiris@erazer tmp $ cat '-bar'
cat: invalid option -- 'a'
Try 'cat --help' for more information.
osiris@erazer tmp $ cat "-bar"
cat: invalid option -- 'a'
Try 'cat --help' for more information.
osiris@erazer tmp $

So echo doesn't have an issue with it, but cat does, perhaps due to the fact it's a filename? Just like the token?

Anyway, just use --:

osiris@erazer tmp $ cat -- -bar
foo
osiris@erazer tmp $

No quotes necessary

Anyway, Let's Encrypt has issued 2 498 820 194 certificates between 2015-10-08 and yesterday. Which is.. Well.. A LOT! And only two (!!) complaints in this seven (!!) years of issuance. So I guess it's not that big a deal in the grant scheme of things.

schoen · April 21, 2022, 7:21am

The distinction in your example above is actually the > which is processed by the shell in such a way that the program to the left of the > redirection does not see the single token that follows the > at all. It's not specifically about the behavior of the cat or echo programs.

Osiris · April 21, 2022, 7:22am

@schoen That > was just to generate the -bar file, not actually part of the demonstration. I tried to demonstrate that cat does not like files beginning with a dash and interprets it as option arguments, even with quotes around it. And that the double dash fixes everything

T917820981726 · April 21, 2022, 9:20am

Isn't it actually a 32 byte array (256 bits), which results in 43 6-bit Base64url characters (where the last character only uses 4 of 6 bits)? ^^

So the number of regular possibilities would be:
2^256 = 1.1579208924e+77

When using Base64url and the first character mustn't start with a dash, that would mean for the first group of 6 bits there is one less possibility, which would mean:
(2^6-1)*2^(256-6) = 1.1398283784e+77

(The loss is the same (1-63/64): 1.5625 %)

However, it might be harder to generate a random number for a range which isn't a power of two, especially for security purposes (e.g. generate it in constant time and balanced); in that case it might be necessary to omit a full bit, which would mean
2^255 = 5.7896044619e+76

(which would be a loss of 50 %)

mcpherrinm · April 21, 2022, 6:50pm

cat -- -bar is a valid construction to avoid this issue, though depending on what command you're running -- may not be universally supported. Another potential option is to use a relative path like ./-bar or an absolute path like /tmp/foo/-bar, depending on what's easiest for your script. So long as the program takes a filename, that's more universal.

Osiris · April 21, 2022, 6:56pm

More methods of not running into any issues and thus all the more reasons not to tamper with the token structure!

rg305 · April 22, 2022, 1:43am

how about the client just ignores things that start with "-" and asks for a new one?
[chances are very high that it won't repeat another "-"]

aarongable · May 22, 2022, 1:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.