New submission from David-Sarah Hopwood <david-sa...@jacaranda.org>:
The C standard (any version, or POSIX), says in the description of fopen that:
{{{
When a file is opened with update mode ( '+' as the second or third character
in the mode argument), both input and output may be performed on the associated
stream. However, the application shall ensure that output is not directly
followed by input without an intervening call to fflush() or to a file
positioning function ( fseek(), fsetpos(), or rewind()), and input is not
directly followed by output without an intervening call to a file positioning
function, unless the input operation encounters end-of-file.
}}}
Objects/fileobject.c makes calls to fread and fwrite without taking this into
account. So calls from Python to read or write methods of a file object opened
in any "rw" mode, may invoke undefined behaviour. It isn't reasonable to rely
on Python code to avoid this situation, even if were considered acceptable in
C. (Arguably this is a bug in the C standard, but it is unlikely to be fixed
there or in POSIX, because of differences in philosophy about language safety.)
To fix this, fileobject.c should keep track of whether the last I/O operation
was an input or output, and perform a call to fflush whenever an input follows
an output or vice versa. This should not significantly affect performance in
any case where the behaviour was previously defined (in cases where it wasn't,
correctness trumps performance). fflush does not affect the file position and
should have no other negative effect, because the stdio implementation is free
to flush buffered data at any time (and certainly on I/O operations).
Despite the undefined behaviour, I don't currently know of a platform where
this would lead to an exploitable security bug. I'm marking this issue as
security-relevant anyway, because it may prevent analysing whether Python
applications behave securely only on the basis of documented behaviour.
----------
components: IO
messages: 99483
nosy: davidsarah
severity: normal
status: open
title: fileobject.c can switch between fread and fwrite without an intervening
flush or seek, invoking undefined behaviour
type: security
versions: Python 2.7
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue7952>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
