Opened 8 years ago

Closed 7 years ago

#5741 closed feature request (wontfix)

openFile should fail if null bytes are in the argument

Reported by: Veinor Owned by:
Priority: high Milestone: 7.6.1
Component: libraries/base Version: 7.2.1
Keywords: Cc:
Operating System: Unknown/Multiple Architecture: Unknown/Multiple
Type of failure: Runtime performance bug Test Case:
Blocked By: Blocking:
Related Tickets: Differential Rev(s):
Wiki Page:

Description

If the argument to openFile contains a null byte, right now it silently truncates everything after the null byte. This could lead to a vulnerability if the programmer relies on the presence of an extension such as ".cfg" to prevent people from reading in, say, /etc/passwd.

Change History (4)

comment:1 Changed 8 years ago by igloo

difficulty: Unknown
Milestone: 7.6.1
Priority: normalhigh

Should we make this throw an exception, or is checking for NULs just part of the input sanitation that the programmer needs to do? I'm inclined towards the latter (although we should probably document it somewhere if so). What do other people think?

comment:2 Changed 8 years ago by simonmar

Arguably truncation on NUL is part of the filesystem semantics of the underlying OS, just like / being the directory separator.

comment:3 Changed 7 years ago by GregWeber

This is likely handled properly by the system-filepath library.

comment:4 Changed 7 years ago by simonmar

Resolution: wontfix
Status: newclosed

I'm inclined not to do anything here. If you're allowing the user to supply a filename in a secure setting, you should do a lot more than just check for a .cfg extension, you should probably be extremely restrictive - e.g. the filename must be composed only of the characters [A-Za-z0-9_.-].

Note: See TracTickets for help on using tickets.