std.file functions and embedded NUL characters [CWE-158]
Richard (Rikki) Andrew Cattermole
richard at cattermole.co.nz
Thu Jul 31 23:20:28 UTC 2025
On 01/08/2025 11:14 AM, Doigt wrote:
> On Thursday, 31 July 2025 at 21:34:36 UTC, H. S. Teoh wrote:
>> This tone is uncalled for. OP is specifically pointing the issue with
>> passing NUL-containing strings to underlying OS calls. T
>
> No, OP isn't doing that. OP is fishing and it's obvious:
> 1. No problematic example that is specific to D
> 2. Generic source that concerns multiple languages but doesn't cite D
> 3. Immediately pulled out an "examplary" python program and touting the
> superiority of that language.
>
> Any reasonable person should therefore conclude that it's a generalizing
> statement that was made without prior knowledge about D and that the OP
> didn't make any substantial testing to prove the problem. They hoped
> instead that it would be true. Therefore, you are a fish and you just
> took the bait.
This is a valid security problem with std.stdio and std.file.
They do not have to produce an example showing that bad behavior exists
on our end, this is documented as being possible on the system API's
which we wrap without validation.
https://github.com/dlang/phobos/
blob/2d8ae67b396f5cc5f4633695c1c5ac67d2bf448e/std/stdio.d#L432
More information about the Digitalmars-d
mailing list