std.file functions and embedded NUL characters [CWE-158]
Doigt
labog at outlook.com
Thu Jul 31 23:30:51 UTC 2025
On Thursday, 31 July 2025 at 23:20:28 UTC, Richard (Rikki) Andrew
Cattermole wrote:
> On 01/08/2025 11:14 AM, Doigt wrote:
>> On Thursday, 31 July 2025 at 21:34:36 UTC, H. S. Teoh wrote:
>>> This tone is uncalled for. OP is specifically pointing the
>>> issue with passing NUL-containing strings to underlying OS
>>> calls. T
>>
>> No, OP isn't doing that. OP is fishing and it's obvious:
>> 1. No problematic example that is specific to D
>> 2. Generic source that concerns multiple languages but doesn't
>> cite D
>> 3. Immediately pulled out an "examplary" python program and
>> touting the superiority of that language.
>>
>> Any reasonable person should therefore conclude that it's a
>> generalizing statement that was made without prior knowledge
>> about D and that the OP didn't make any substantial testing to
>> prove the problem. They hoped instead that it would be true.
>> Therefore, you are a fish and you just took the bait.
>
> This is a valid security problem with std.stdio and std.file.
>
> They do not have to produce an example showing that bad
> behavior exists on our end, this is documented as being
> possible on the system API's which we wrap without validation.
>
> https://github.com/dlang/phobos/
> blob/2d8ae67b396f5cc5f4633695c1c5ac67d2bf448e/std/stdio.d#L432
you provided the proof for them and you are correct in pointing
it out that it exists on our end. But if their guess had been
wrong, it would have all wasted our time and energy. This kind of
fishing without proof shouldn't be acceptable
More information about the Digitalmars-d
mailing list