Author davidsarah
Recipients davidsarah
Date 2010-02-18.00:21:51
SpamBayes Score 0.0
Marked as misclassified No
Message-id <1266452515.1.0.187008145606.issue7952@psf.upfronthosting.co.za>
In-reply-to
Content
The C standard (any version, or POSIX), says in the description of fopen that:
{{{
When a file is opened with update mode ( '+' as the second or third character in the mode argument), both input and output may be performed on the associated stream. However, the application shall ensure that output is not directly followed by input without an intervening call to fflush() or to a file positioning function ( fseek(), fsetpos(), or rewind()), and input is not directly followed by output without an intervening call to a file positioning function, unless the input operation encounters end-of-file.
}}}

Objects/fileobject.c makes calls to fread and fwrite without taking this into account. So calls from Python to read or write methods of a file object opened in any "rw" mode, may invoke undefined behaviour. It isn't reasonable to rely on Python code to avoid this situation, even if were considered acceptable in C. (Arguably this is a bug in the C standard, but it is unlikely to be fixed there or in POSIX, because of differences in philosophy about language safety.)

To fix this, fileobject.c should keep track of whether the last I/O operation was an input or output, and perform a call to fflush whenever an input follows an output or vice versa. This should not significantly affect performance in any case where the behaviour was previously defined (in cases where it wasn't, correctness trumps performance). fflush does not affect the file position and should have no other negative effect, because the stdio implementation is free to flush buffered data at any time (and certainly on I/O operations).

Despite the undefined behaviour, I don't currently know of a platform where this would lead to an exploitable security bug. I'm marking this issue as security-relevant anyway, because it may prevent analysing whether Python applications behave securely only on the basis of documented behaviour.
History
Date User Action Args
2010-02-18 00:21:55davidsarahsetrecipients: + davidsarah
2010-02-18 00:21:55davidsarahsetmessageid: <1266452515.1.0.187008145606.issue7952@psf.upfronthosting.co.za>
2010-02-18 00:21:53davidsarahlinkissue7952 messages
2010-02-18 00:21:51davidsarahcreate