[Python-checkins] python/dist/src/Modules getpath.c,1.49,1.50
tim_one at users.sourceforge.net
tim_one at users.sourceforge.net
Sun Aug 8 03:00:49 CEST 2004
Update of /cvsroot/python/python/dist/src/Modules
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv24572/Modules
Modified Files:
getpath.c
Log Message:
Bug 1003471: Python 1.5.2 security vulnerability still present in 2.3.4
That's the title of the report, but the hole was probably plugged since
Python 2.0. See corresponding checkin to PC/getpathp.c: a crucial
precondition for joinpath() was neither documented nor verified, and there
are so many callers with so many conditional paths that no "eyeball
analysis" is satisfactory. Now Python dies with a fatal error if the
precondition isn't satisfied, instead of allowing a buffer overrun.
NOT TESTED! The Windows version of the patch was, but not this one. I
don't feel like waiting for someone to notice the patch I attached to the
bug report. If it doesn't compile, sorry, but fix it <wink>. If it
does compile, it's "obviously correct".
Index: getpath.c
===================================================================
RCS file: /cvsroot/python/python/dist/src/Modules/getpath.c,v
retrieving revision 1.49
retrieving revision 1.50
diff -C2 -d -r1.49 -r1.50
*** getpath.c 26 Jun 2004 04:03:05 -0000 1.49
--- getpath.c 8 Aug 2004 01:00:47 -0000 1.50
***************
*** 191,198 ****
! /* joinpath requires that any buffer argument passed to it has at
! least MAXPATHLEN + 1 bytes allocated. If this requirement is met,
! it guarantees that it will never overflow the buffer. If stuff
! is too long, buffer will contain a truncated copy of stuff.
*/
static void
--- 191,202 ----
! /* Add a path component, by appending stuff to buffer.
! buffer must have at least MAXPATHLEN + 1 bytes allocated, and contain a
! NUL-terminated string with no more than MAXPATHLEN characters (not counting
! the trailing NUL). It's a fatal error if it contains a string longer than
! that (callers must be careful!). If these requirements are met, it's
! guaranteed that buffer will still be a NUL-terminated string with no more
! than MAXPATHLEN characters at exit. If stuff is too long, only as much of
! stuff as fits will be appended.
*/
static void
***************
*** 207,210 ****
--- 211,216 ----
buffer[n++] = SEP;
}
+ if (n > MAXPATHLEN)
+ Py_FatalError("buffer overflow in getpath.c's joinpath()");
k = strlen(stuff);
if (n + k > MAXPATHLEN)
More information about the Python-checkins
mailing list