std.file functions and embedded NUL characters [CWE-158]
Kagamin
spam at here.lot
Mon Aug 4 12:27:03 UTC 2025
On Thursday, 31 July 2025 at 23:27:42 UTC, H. S. Teoh wrote:
> As a contrived example, say you prohibit "/etc/passwd" as a
> filename. Now what happens when the user inputs
> "/etc/passwd\0ha_you_missed_me" as filename? The OS considers
> the NUL as the end of the filename, so your user gets access to
> "/etc/passwd" after all.
If you need path validation, you probably will do more checks
than null check, stdio won't cut it. See how path validation
vulnerabilities work IRL:
https://github.com/dagster-io/dagster/pull/30002
More information about the Digitalmars-d
mailing list