New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
null bytes truncate filenames given to Sys and Unix #6945
Comments
Comment author: @gasche A first idea for a fix would be to assert, in each of the C functions that passes an OCaml string to the system, that the |
Comment author: @diml Note that for Unix.connect and Unix.bind you need to allow the first byte of the path to be null as it is used for abstract socket on linux. |
Comment author: @diml Well, in case of connect or bind for instance it make sense to still do the test if the first byte is not null, as in this case they will ignore everything after the null terminating byte. |
Comment author: @xavierleroy |
Comment author: @dbuenzli Reopening this before I forget. The fix is not complete see |
1 similar comment
Comment author: @dbuenzli Reopening this before I forget. The fix is not complete see |
Comment author: @xavierleroy |
Comment author: @dbuenzli Made a quick review of the OCaml C system interface we are still missing a few ones. See |
Comment author: @xavierleroy More missing checks added in commit 9893e26. |
Original bug ID: 6945
Reporter: @dbuenzli
Status: closed (set by @xavierleroy on 2017-02-16T14:14:34Z)
Resolution: fixed
Priority: normal
Severity: major
Version: 4.02.3
Fixed in version: 4.03.0+dev / +beta1
Category: standard library
Tags: junior_job
Monitored by: @gasche @diml @hcarty @dbuenzli
Bug description
Hello,
Functions of the Sys and Unix module taking filenames as arguments simply truncate their argument on null bytes. They should rather raise Sys_error and Unix.ENOENT, I'm sure there are all kinds of nice security exploits to perform with the current scheme, see e.g. http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection
Best,
Daniel
Steps to reproduce
Sys.file_exists "/tmp/bla\x00hehey";;
#require "unix";;
/Users/dbuenzli/.opam/4.02.3/lib/ocaml/unix.cma: loaded
Unix.stat "/tmp/bla\x00hehey";;
{Unix.st_dev = 16777220; st_ino = 113544695; st_kind = Unix.S_DIR;
st_perm = 493; st_nlink = 2; st_uid = 501; st_gid = 0; st_rdev = 0;
st_size = 68; st_atime = 1438290718.; st_mtime = 1438290111.;
st_ctime = 1438290111.}
The text was updated successfully, but these errors were encountered: