std.file functions and embedded NUL characters [CWE-158]
Richard (Rikki) Andrew Cattermole
richard at cattermole.co.nz
Thu Jul 31 21:47:24 UTC 2025
This is quite a good example of why for PhobosV3 I want us to go through
a FilePath abstraction, rather than accepting random strings for file names.
This is indeed a security vulnerability, but it isn't on D's side.
All system API's take in a null terminated string, when it should've
been pointer + length.
If someone has a problem with this currently, you can call
``isValidPath`` in ``std.path``, which will check for the null character.
https://dlang.org/phobos/std_path.html#isValidPath
More information about the Digitalmars-d
mailing list