std.file functions and embedded NUL characters [CWE-158]

monkyyy crazymonkyyy at gmail.com
Thu Jul 31 23:48:38 UTC 2025 

On Thursday, 31 July 2025 at 23:27:42 UTC, H. S. Teoh wrote:
> On Thu, Jul 31, 2025 at 10:27:56PM +0000, monkyyy via 
> Digitalmars-d wrote:
>> On Thursday, 31 July 2025 at 21:47:24 UTC, Richard (Rikki) 
>> Andrew Cattermole
>> wrote:
>> > This is quite a good example of why for PhobosV3 I want us 
>> > to go through a FilePath abstraction, rather than accepting 
>> > random strings for file names.
>> 
>> whats wrong with just changing toStringz? I dont understand 
>> the threat profile imagined by the infinitely wise cve org; 
>> but you could make toStringz:
>> 
>> a) shorten it to the first null char
> [...]
>
> This is precisely what it currently does, and where the problem 
> is. Consider: you have user input specifying a filename, and 
> your code checks to make sure it doesn't overwrite a file it's 
> not supposed to. As a contrived example, say you prohibit 
> "/etc/passwd" as a filename. Now what happens when the user 
> inputs "/etc/passwd\0ha_you_missed_me" as filename?  The OS 
> considers the NUL as the end of the filename, so your user gets 
> access to "/etc/passwd" after all.
>
> Another example: maybe you have a database management program 
> and your user specifies a filename to save the database, and 
> you keep an AA of previously-used names which you check, so 
> that the user doesn't stomp over another user's database file.  
> Now consider what happens if user A inputs "database\01.db" and 
> user B inputs "database\02.db".  The OS considers the NUL as 
> the end of the filename, so user A's file is actually 
> "database", and so is user B's file, so user B can now 
> overwrite user A's data.
>
> These are just some mild cases.  I'm pretty sure if you think 
> hard enough, you'll be able to come up with something that will 
> open a security hole by exploiting the fact that what the D 
> code thinks is the filename is different from what the OS 
> thinks is the filename.
>
>
> T

~~I think these are extremely contrived, passwd is the os's 
responsibly and I expect all oses have it behind root 
permissions; also backups~~

swapping toStringz to option 2 then?

I think adr's FilePath may come from stealing code from rikki, 
and in thoery what rikki is suggesting is I call 
`File(FilePath("foo"))` I didnt like figuring it out; I wont 
actually store a filepath, I will write string then do whatever 
the error messages and instinct says will make the code I wrote 
compile

If `"passwd\0hi".toStringz == &"passwd__NULL__DONT_DO_THAThi"[0]` 
it wont match `passwd`; whats the `file(filepath)` abstraction 
gaining over option 2 or 3

More information about the Digitalmars-d mailing list