develooper Front page | perl.perl5.porters | Postings from June 2013

[perl #117265] [PATCH] e213661 no warnings 'safesyscalls', fatal nul checks

Thread Previous | Thread Next
Tony Cook via RT
June 27, 2013 06:46
[perl #117265] [PATCH] e213661 no warnings 'safesyscalls', fatal nul checks
Message ID:
On Tue Mar 26 14:29:41 2013, rurban wrote:
> Attached is the revised patch
> Check for the nul char in pathnames and string arguments to
> syscalls, return undef and set errno to ENOENT.
> Added to the default severe warnings category syscalls.
> Strings with embedded \0 chars were prev. ignored in the syscall but
> kept in perl. The hidden payloads in these invalid string args may cause
> unnoticed security problems, as they are hard to detect, ignored by
> the syscalls but kept around in perl PVs.
> Allow an ending \0 though, as several modules add a \0 to
> such strings without adjusting the length.
> Ignored on WinCE since this uses the wide char API.

Hi Reini,

I've had a look over this patch, but I can see it's treating a failure
due to \0 differently to failure due to an actual missing file, eg:

tony@mars:.../git/perl$ ./perl -Wle 'print unlink "def", "abc\0def", "ghi"'
Invalid \0 character in pathname: abc\0def at -e line 1.
tony@mars:.../git/perl$ ./perl -Wle 'print unlink "def", "abc", "ghi"'

I've attached a version of the patch updated to work with blead.


via perlbug:  queue: perl5 status: open

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About