[Python-checkins] python/dist/src/Modules getpath.c,1.49,1.50

tim_one at users.sourceforge.net tim_one at users.sourceforge.net
Sun Aug 8 03:00:49 CEST 2004 

Update of /cvsroot/python/python/dist/src/Modules
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv24572/Modules

Modified Files:
	getpath.c 
Log Message:
Bug 1003471: Python 1.5.2 security vulnerability still present in 2.3.4

That's the title of the report, but the hole was probably plugged since
Python 2.0.  See corresponding checkin to PC/getpathp.c:  a crucial
precondition for joinpath() was neither documented nor verified, and there
are so many callers with so many conditional paths that no "eyeball
analysis" is satisfactory.  Now Python dies with a fatal error if the
precondition isn't satisfied, instead of allowing a buffer overrun.

NOT TESTED!  The Windows version of the patch was, but not this one.  I
don't feel like waiting for someone to notice the patch I attached to the
bug report.  If it doesn't compile, sorry, but fix it <wink>.  If it
does compile, it's "obviously correct".


Index: getpath.c
===================================================================
RCS file: /cvsroot/python/python/dist/src/Modules/getpath.c,v
retrieving revision 1.49
retrieving revision 1.50
diff -C2 -d -r1.49 -r1.50
*** getpath.c	26 Jun 2004 04:03:05 -0000	1.49
--- getpath.c	8 Aug 2004 01:00:47 -0000	1.50
***************
*** 191,198 ****
  
  
! /* joinpath requires that any buffer argument passed to it has at
!    least MAXPATHLEN + 1 bytes allocated.  If this requirement is met,
!    it guarantees that it will never overflow the buffer.  If stuff
!    is too long, buffer will contain a truncated copy of stuff.
  */
  static void
--- 191,202 ----
  
  
! /* Add a path component, by appending stuff to buffer.
!    buffer must have at least MAXPATHLEN + 1 bytes allocated, and contain a
!    NUL-terminated string with no more than MAXPATHLEN characters (not counting
!    the trailing NUL).  It's a fatal error if it contains a string longer than
!    that (callers must be careful!).  If these requirements are met, it's
!    guaranteed that buffer will still be a NUL-terminated string with no more
!    than MAXPATHLEN characters at exit.  If stuff is too long, only as much of
!    stuff as fits will be appended.
  */
  static void
***************
*** 207,210 ****
--- 211,216 ----
              buffer[n++] = SEP;
      }
+     if (n > MAXPATHLEN)
+     	Py_FatalError("buffer overflow in getpath.c's joinpath()");
      k = strlen(stuff);
      if (n + k > MAXPATHLEN)

More information about the Python-checkins mailing list