[New-bugs-announce] [issue22147] PosixPath() constructor should not accept strings with embedded NUL bytes

Isaac Schwabacher report at bugs.python.org
Tue Aug 5 21:44:08 CEST 2014 

New submission from Isaac Schwabacher:

This is listed as a python3.4 issue even though I only tried this on the python2.7 backport because I don't have a python3 handy, but I was not able to find an indication, either here or elsewhere, that this had been addressed.  Please forgive me if it has.

The `pathlib.PosixPath()` constructor currently accepts strings containing NUL bytes, converting them into paths containing NUL bytes. POSIX specifies that a pathname may not contain embedded NULs.

It appears that `PosixPath.stat()` is checking for embedded NUL, but `PosixPath.open()` is not!  For safety, constructing a `PosixPath` with embedded NULs should be forbidden.

`pathlib.WindowsPath()` should probably receive the same treatment.

Observed behavior:

```python

>>> from pathlib import Path

>>> Path("\0I'm not malicious, I'm mischievous!")
PosixPath("\x00I'm not malicious, I'm mischievous!")

>>> _.open()
Traceback (most recent call last):
 File "<stdin>", line 1, in <module>
 File ".../site-packages/pathlib.py", line 1077, in open
 return io.open(str(self), mode, buffering, encoding, errors, newline)
IOError: [Errno 2] No such file or directory: ''

>>> Path('/') / _
PosixPath("/\x00I'm not malicious, I'm mischievous!")

>>> _.open()
Traceback (most recent call last):
 File "<stdin>", line 1, in <module>
 File ".../site-packages/pathlib.py", line 1077, in open
 return io.open(str(self), mode, buffering, encoding, errors, newline)
IOError: [Errno 21] Is a directory: "/\x00I'm not malicious, I'm mischievous!"

>>> _.stat()
Traceback (most recent call last):
 File "<stdin>", line 1, in <module>
 File ".../site-packages/pathlib.py", line 1051, in stat
 return self._accessor.stat(self)
 File ".../site-packages/pathlib.py", line 346, in wrapped
 return strfunc(str(pathobj), *args)
TypeError: must be encoded string without NULL bytes, not str

>>> p1 = Path('/etc/passwd\0/hello.txt').open()

>>> p2 = Path('/etc/passwd').open()

>>> os.path.sameopenfile(p1.fileno(), p2.fileno())
True  # DANGER WILL ROBINSON!

```

Expected behavior:

```python

>>> Path("/\0I'm not malicious, I'm mischievous!")
...
ValueError: Illegal byte '\x00' in path

```

----------
messages: 224880
nosy: ischwabacher
priority: normal
severity: normal
status: open
title: PosixPath() constructor should not accept strings with embedded NUL bytes
type: security
versions: Python 3.4

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22147>
_______________________________________

More information about the New-bugs-announce mailing list