std.file functions and embedded NUL characters [CWE-158]

kdevel kdevel at vogtner.de
Sun Aug 3 00:03:47 UTC 2025


On Friday, 1 August 2025 at 17:53:17 UTC, Steven Schveighoffer 
wrote:
> [...]
> It's always a fight between correctness and performance here.

Pardon?

> [...]
> I'm not sure that's the library's responsibility. In other 
> words, if I pass in `rmdir("foo")`, then why should I pay the 
> penalty of examining `"foo"` for malicious NUL bytes?

The `NUL` is not representable in `char *`. But all phobos 
filesystem functions use unadorned `string` parameters for 
pathnames. Who else if not the designer of the library shall be 
responsible for coding (not paying!) the extra cpu cycles?

If the library expects pathnames without embedded `NUL`s I would 
create a subtype of `string`, say `fstring` or `cstring`. One 
then has to discuss which of these calls

```
     rmdir ("a\0b");                //with the technique from [1]
     rmdir (fstring ("a\0b"));
     rmdir (cast (fstring) ("a\0b"));
```

shall compile and what one expects as runtime behavior.

[1] *Implicit type conversion of an argument when a function is 
called*
      
https://forum.dlang.org/thread/agstjpezerwlgdhphclk@forum.dlang.org


More information about the Digitalmars-d mailing list