std.file functions and embedded NUL characters [CWE-158]

Doigt labog at outlook.com
Thu Jul 31 21:25:44 UTC 2025


On Thursday, 31 July 2025 at 20:45:14 UTC, kdevel wrote:
> Some python code:
>
>    #!/usr/bin/python
>
>    def myfun (filename):
>       open (filename, 'w')
>
>    myfun ("a\0c")
>
> which when executed behaves in an exemplary manner:
>
>    Traceback (most recent call last):
>      File "./test.py", line 6, in <module>
>        myfun ("a\0c")
>      File "./test.py", line 4, in myfun
>        open (filename, 'w')
>    TypeError: file() argument 1 must be encoded string without 
> null
>    bytes, not str
>
> Other languages like D, perl or even Ada seem to let the 
> embedded NUL
> character silently truncate the filename. This poses a 
> considerable
> risk when the input to std.file functions is not controlled by 
> the
> program author [1]. E.g.
>
>    rmdirRecurse ("/\0/home/user/subdir");
>
> [1] https://cwe.mitre.org/data/definitions/158.html

Do you actually have a source or an example program that D 
actually does anything with the null terminator or are you 
talking out of your ass? D doesn't care about the null terminator 
and doesn't do anything with it.

Try this code on run.dlang.io and report back with your apology:
import std.stdio;
void main()
{
     writeln("Hello\0World\0!");
}


More information about the Digitalmars-d mailing list