Bug #3337

MS-DOS device names are identified as readable_real

Added by HD Moore over 5 years ago. Updated almost 3 years ago.

[ruby-core:30406]
Status:Assigned
Priority:Normal
Assignee:Usaku NAKAMURA
ruby -v:ruby 1.9.3dev (2010-05-21 trunk 27931) [i386-mingw32] Backport:

Description

=begin
Special MS-DOS filenames return true from a call to File.readable_real? and File.file?. This exposes certain popular projects to a denial of service on the Windows platform.

irb(main):007:0> File.readable_real?("AUX")
=> true

Modifying File.file? and File.readable_real? to return false for MS-DOS device names will allow standard tests for static files to avoid MS-DOS names. The regular express below can be used to match against known MS-DOS names and should be inclusive, however a second set of eyes would be great.

/\/(CON|PRN|AUX|NUL|COM1|COM2|COM3|COM4|COM5|COM6|COM7|COM8|COM9|LPT1|LPT2|LPT3|LPT4|LPT5|LPT6|LPT7|LPT8|LPT9)([.\/]|$)/i

If you need information on the specific projects affected by this bug, please contact me via email
=end

History

#1 Updated by caleb clausen over 5 years ago

=begin
I'm not certain that the above list is complete. Among other things, windows allows programs to define their own ms-dos device names using DefineDosDevice. It might be better (at least on windows) to query the system for the list of currently defined device names.

It appears that windows ce allows device names which begin with \$device\ or \$bus.

Also, I'm puzzled by the fact that you require a / at the beginning of the device name, and allow . or / at the end. Microsoft's documentation only mentions allowing a : at the end.

I think this might be a better regexp to use (wince devices still not checked here, tho):
%r{\A(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])([./:]?\z)}i

relevant pages on MSDN:

INFO: Understanding Device Names and Symbolic Links
http://support.microsoft.com/kb/235128

Defining an MS-DOS Device Name
http://msdn.microsoft.com/en-us/library/aa363908(VS.85).aspx

DefineDosDevice Function
http://msdn.microsoft.com/en-us/library/aa363904(VS.85).aspx

Device File Names (for windows ce)
http://msdn.microsoft.com/en-us/library/aa447463.aspx

QueryDosDevice Function (can return a list of known devices???)
http://msdn.microsoft.com/en-us/library/aa365461(v=VS.85).aspx
=end

#2 Updated by Yusuke Endoh over 5 years ago

  • Assignee set to Usaku NAKAMURA
  • Priority changed from Normal to 3
  • Target version set to 2.0.0

=begin
Hi,

According to Usaku, it is difficult to fix this issue.
According to Usaku, QueryDosDevice cannot be used. It determines
some device files (such as CON) as normal file.

At least, we won't fix this issue in 1.9.2 release.
I change the target to 1.9.x and priority to Low.

Blame windows!

--
Yusuke Endoh mame@tsg.ne.jp
=end

#3 Updated by HD Moore over 5 years ago

=begin
Responding to Caleb: the regex is being used to monkeypatch an application server, the leading / is because the regex is matching an incoming request, not the raw filename, and I should have clarified in the initial report.

It does seem a sticky problem to solve, but it may be possible to combine the known-bad blacklist with QueryDosDevice (.ex: CON will always be a console). I am not sure how frequently DefineDosDevice is actually used, so just filtering a known blacklist may go a long way in the short term.

=end

#4 Updated by Usaku NAKAMURA over 5 years ago

  • Status changed from Open to Assigned

=begin

=end

#5 Updated by Usaku NAKAMURA almost 3 years ago

  • Description updated (diff)
  • Target version changed from 2.0.0 to next minor

Also available in: Atom PDF