develooper Front page | perl.perl5.porters | Postings from June 2013

Re: [perl #117265] [PATCH] e213661 no warnings 'safesyscalls', fatalnul checks

Thread Previous | Thread Next
Reini Urban
June 27, 2013 13:41
Re: [perl #117265] [PATCH] e213661 no warnings 'safesyscalls', fatalnul checks
Message ID:
On 06/27/2013 01:45 AM, Tony Cook via RT wrote:
> On Tue Mar 26 14:29:41 2013, rurban wrote:
>> Attached is the revised patch
>> Check for the nul char in pathnames and string arguments to
>> syscalls, return undef and set errno to ENOENT.
>> Added to the default severe warnings category syscalls.
>> Strings with embedded \0 chars were prev. ignored in the syscall but
>> kept in perl. The hidden payloads in these invalid string args may cause
>> unnoticed security problems, as they are hard to detect, ignored by
>> the syscalls but kept around in perl PVs.
>> Allow an ending \0 though, as several modules add a \0 to
>> such strings without adjusting the length.
>> Ignored on WinCE since this uses the wide char API.
> Hi Reini,
> I've had a look over this patch, but I can see it's treating a failure
> due to \0 differently to failure due to an actual missing file, eg:
> tony@mars:.../git/perl$ ./perl -Wle 'print unlink "def", "abc\0def", "ghi"'
> Invalid \0 character in pathname: abc\0def at -e line 1.
> 1
> tony@mars:.../git/perl$ ./perl -Wle 'print unlink "def", "abc", "ghi"'
> 0
> I've attached a version of the patch updated to work with blead.

Great, Thanks for the improvements.
I've looked over it, LGTM

Can someone please apply it now.


Working towards a true Modern Perl.
Slim, functional, unbloated, compile-time optimizable

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About