Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 18 Oct 2012 17:36:43 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: ruby file creation due in insertion
 of illegal NUL character

On 18/10/12 11:51, Matthias Weckbecker wrote:
> On Wednesday 17 October 2012 20:14:22 Simon McVittie wrote:
>> For Perl, one possibility would be to continue to treat an input of
>> "foo\0" as equivalent to "foo" (so that you can use "./ foo \0" to
>> mean " foo ", as documented), but disallow NULs anywhere except the
>> last position.
> 
> Although this is a very elegant solution it's on the other hand probably not
> trivially implemented, because NUL is mostly treated as the end of a string.

In languages like Perl and Python where a string can contain NULs, the C
representation of a high-level-language string is not just a C string
(NUL-terminated char *); it's a struct with a buffer and a length,
similar to a Pascal string or GLib's GString object. The buffer is
typically guaranteed to be at least 1 byte longer than the "official"
length, and contain a NUL after the "official" length, so that it can be
passed to APIs that expect a C string without copying.

For instance, Python has the function PyString_AsStringAndSize() to
access both the buffer and the length in one call.

>From a quick look at, for instance, PerlIO_openn() in Perl 5.16.1's
perlio.c, it would be necessary to use SvPV_const() instead of
SvPV_nolen_const(), which gives you a length and a buffer instead of
just the buffer; at which point it's possible and safe to check that no
NUL appears in the first length-1 bytes. To have its new semantics, Ruby
must be doing something pretty similar.

(I'm not volunteering to write a patch - I've never used Perl's C API
before.)

    S

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.