develooper Front page | perl.perl5.porters | Postings from June 2013

[perl #117265] [PATCH] e213661 no warnings 'safesyscalls', fatal nul checks

Thread Previous | Thread Next
From:
Tony Cook via RT
Date:
June 27, 2013 06:46
Subject:
[perl #117265] [PATCH] e213661 no warnings 'safesyscalls', fatal nul checks
Message ID:
rt-3.6.HEAD-2552-1372315558-1297.117265-15-0@perl.org
On Tue Mar 26 14:29:41 2013, rurban wrote:
> Attached is the revised patch
> 
> Check for the nul char in pathnames and string arguments to
> syscalls, return undef and set errno to ENOENT.
> Added to the default severe warnings category syscalls.
>     
> Strings with embedded \0 chars were prev. ignored in the syscall but
> kept in perl. The hidden payloads in these invalid string args may cause
> unnoticed security problems, as they are hard to detect, ignored by
> the syscalls but kept around in perl PVs.
> Allow an ending \0 though, as several modules add a \0 to
> such strings without adjusting the length.
> Ignored on WinCE since this uses the wide char API.

Hi Reini,

I've had a look over this patch, but I can see it's treating a failure
due to \0 differently to failure due to an actual missing file, eg:

tony@mars:.../git/perl$ ./perl -Wle 'print unlink "def", "abc\0def", "ghi"'
Invalid \0 character in pathname: abc\0def at -e line 1.
1
tony@mars:.../git/perl$ ./perl -Wle 'print unlink "def", "abc", "ghi"'
0

I've attached a version of the patch updated to work with blead.

Tony



---
via perlbug:  queue: perl5 status: open
https://rt.perl.org:443/rt3/Ticket/Display.html?id=117265

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About