summaryrefslogtreecommitdiffstats
path: root/Modules
diff options
context:
space:
mode:
authorTim Peters <tim.peters@gmail.com>2004-08-08 01:00:47 (GMT)
committerTim Peters <tim.peters@gmail.com>2004-08-08 01:00:47 (GMT)
commitec8c5a931136b61231b295f2aded8dc04035e9b7 (patch)
tree76a240b7d477eb976027695d05b116037afe3873 /Modules
parent95334a5d1e224548d16b358c1314be444625b925 (diff)
downloadcpython-ec8c5a931136b61231b295f2aded8dc04035e9b7.zip
cpython-ec8c5a931136b61231b295f2aded8dc04035e9b7.tar.gz
cpython-ec8c5a931136b61231b295f2aded8dc04035e9b7.tar.bz2
Bug 1003471: Python 1.5.2 security vulnerability still present in 2.3.4
That's the title of the report, but the hole was probably plugged since Python 2.0. See corresponding checkin to PC/getpathp.c: a crucial precondition for joinpath() was neither documented nor verified, and there are so many callers with so many conditional paths that no "eyeball analysis" is satisfactory. Now Python dies with a fatal error if the precondition isn't satisfied, instead of allowing a buffer overrun. NOT TESTED! The Windows version of the patch was, but not this one. I don't feel like waiting for someone to notice the patch I attached to the bug report. If it doesn't compile, sorry, but fix it <wink>. If it does compile, it's "obviously correct".
Diffstat (limited to 'Modules')
-rw-r--r--Modules/getpath.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/Modules/getpath.c b/Modules/getpath.c
index 10ad509..418c683 100644
--- a/Modules/getpath.c
+++ b/Modules/getpath.c
@@ -190,10 +190,14 @@ isdir(char *filename) /* Is directory */
}
-/* joinpath requires that any buffer argument passed to it has at
- least MAXPATHLEN + 1 bytes allocated. If this requirement is met,
- it guarantees that it will never overflow the buffer. If stuff
- is too long, buffer will contain a truncated copy of stuff.
+/* Add a path component, by appending stuff to buffer.
+ buffer must have at least MAXPATHLEN + 1 bytes allocated, and contain a
+ NUL-terminated string with no more than MAXPATHLEN characters (not counting
+ the trailing NUL). It's a fatal error if it contains a string longer than
+ that (callers must be careful!). If these requirements are met, it's
+ guaranteed that buffer will still be a NUL-terminated string with no more
+ than MAXPATHLEN characters at exit. If stuff is too long, only as much of
+ stuff as fits will be appended.
*/
static void
joinpath(char *buffer, char *stuff)
@@ -206,6 +210,8 @@ joinpath(char *buffer, char *stuff)
if (n > 0 && buffer[n-1] != SEP && n < MAXPATHLEN)
buffer[n++] = SEP;
}
+ if (n > MAXPATHLEN)
+ Py_FatalError("buffer overflow in getpath.c's joinpath()");
k = strlen(stuff);
if (n + k > MAXPATHLEN)
k = MAXPATHLEN - n;