Author ischwabacher
Recipients ischwabacher
Date 2014-08-05.19:44:08
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1407267848.45.0.809324931091.issue22147@psf.upfronthosting.co.za>
In-reply-to
Content
This is listed as a python3.4 issue even though I only tried this on the python2.7 backport because I don't have a python3 handy, but I was not able to find an indication, either here or elsewhere, that this had been addressed.  Please forgive me if it has.

The `pathlib.PosixPath()` constructor currently accepts strings containing NUL bytes, converting them into paths containing NUL bytes. POSIX specifies that a pathname may not contain embedded NULs.

It appears that `PosixPath.stat()` is checking for embedded NUL, but `PosixPath.open()` is not!  For safety, constructing a `PosixPath` with embedded NULs should be forbidden.

`pathlib.WindowsPath()` should probably receive the same treatment.

Observed behavior:

```python

>>> from pathlib import Path

>>> Path("\0I'm not malicious, I'm mischievous!")
PosixPath("\x00I'm not malicious, I'm mischievous!")

>>> _.open()
Traceback (most recent call last):
 File "<stdin>", line 1, in <module>
 File ".../site-packages/pathlib.py", line 1077, in open
 return io.open(str(self), mode, buffering, encoding, errors, newline)
IOError: [Errno 2] No such file or directory: ''

>>> Path('/') / _
PosixPath("/\x00I'm not malicious, I'm mischievous!")

>>> _.open()
Traceback (most recent call last):
 File "<stdin>", line 1, in <module>
 File ".../site-packages/pathlib.py", line 1077, in open
 return io.open(str(self), mode, buffering, encoding, errors, newline)
IOError: [Errno 21] Is a directory: "/\x00I'm not malicious, I'm mischievous!"

>>> _.stat()
Traceback (most recent call last):
 File "<stdin>", line 1, in <module>
 File ".../site-packages/pathlib.py", line 1051, in stat
 return self._accessor.stat(self)
 File ".../site-packages/pathlib.py", line 346, in wrapped
 return strfunc(str(pathobj), *args)
TypeError: must be encoded string without NULL bytes, not str

>>> p1 = Path('/etc/passwd\0/hello.txt').open()

>>> p2 = Path('/etc/passwd').open()

>>> os.path.sameopenfile(p1.fileno(), p2.fileno())
True  # DANGER WILL ROBINSON!

```

Expected behavior:

```python

>>> Path("/\0I'm not malicious, I'm mischievous!")
...
ValueError: Illegal byte '\x00' in path

```
History
Date User Action Args
2014-08-05 19:44:08ischwabachersetrecipients: + ischwabacher
2014-08-05 19:44:08ischwabachersetmessageid: <1407267848.45.0.809324931091.issue22147@psf.upfronthosting.co.za>
2014-08-05 19:44:08ischwabacherlinkissue22147 messages
2014-08-05 19:44:08ischwabachercreate