Project

General

Profile

Actions

Bug #3337

closed

MS-DOS device names are identified as readable_real

Added by hdm (HD Moore) over 14 years ago. Updated about 7 years ago.

Status:
Closed
Assignee:
Target version:
ruby -v:
ruby 1.9.3dev (2010-05-21 trunk 27931) [i386-mingw32]
[ruby-core:30406]

Description

Special MS-DOS filenames return true from a call to File.readable_real? and File.file?. This exposes certain popular projects to a denial of service on the Windows platform.

irb(main):007:0> File.readable_real?("AUX")
=> true

Modifying File.file? and File.readable_real? to return false for MS-DOS device names will allow standard tests for static files to avoid MS-DOS names. The regular express below can be used to match against known MS-DOS names and should be inclusive, however a second set of eyes would be great.

/\/(CON|PRN|AUX|NUL|COM1|COM2|COM3|COM4|COM5|COM6|COM7|COM8|COM9|LPT1|LPT2|LPT3|LPT4|LPT5|LPT6|LPT7|LPT8|LPT9)([\.\/]|$)/i

If you need information on the specific projects affected by this bug, please contact me via email

Actions #1

Updated by coatl (caleb clausen) over 14 years ago

I'm not certain that the above list is complete. Among other things, windows allows programs to define their own ms-dos device names using DefineDosDevice. It might be better (at least on windows) to query the system for the list of currently defined device names.

It appears that windows ce allows device names which begin with $device or $bus.

Also, I'm puzzled by the fact that you require a / at the beginning of the device name, and allow . or / at the end. Microsoft's documentation only mentions allowing a : at the end.

I think this might be a better regexp to use (wince devices still not checked here, tho):

%r{\A(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])([./:]?\z)}i

relevant pages on MSDN:

INFO: Understanding Device Names and Symbolic Links
http://support.microsoft.com/kb/235128

Defining an MS-DOS Device Name
http://msdn.microsoft.com/en-us/library/aa363908(VS.85).aspx

DefineDosDevice Function
http://msdn.microsoft.com/en-us/library/aa363904(VS.85).aspx

Device File Names (for windows ce)
http://msdn.microsoft.com/en-us/library/aa447463.aspx

QueryDosDevice Function (can return a list of known devices???)
http://msdn.microsoft.com/en-us/library/aa365461(v=VS.85).aspx

Actions #2

Updated by mame (Yusuke Endoh) over 14 years ago

  • Assignee set to usa (Usaku NAKAMURA)
  • Priority changed from Normal to 3
  • Target version set to 2.0.0

Hi,

According to Usaku, it is difficult to fix this issue.
According to Usaku, QueryDosDevice cannot be used. It determines
some device files (such as CON) as normal file.

At least, we won't fix this issue in 1.9.2 release.
I change the target to 1.9.x and priority to Low.

Blame windows!

--
Yusuke Endoh

Actions #3

Updated by hdm (HD Moore) over 14 years ago

Responding to Caleb: the regex is being used to monkeypatch an application server, the leading / is because the regex is matching an incoming request, not the raw filename, and I should have clarified in the initial report.

It does seem a sticky problem to solve, but it may be possible to combine the known-bad blacklist with QueryDosDevice (.ex: CON will always be a console). I am not sure how frequently DefineDosDevice is actually used, so just filtering a known blacklist may go a long way in the short term.

Actions #4

Updated by usa (Usaku NAKAMURA) over 14 years ago

  • Status changed from Open to Assigned

Updated by usa (Usaku NAKAMURA) about 12 years ago

  • Description updated (diff)
  • Target version changed from 2.0.0 to 2.6

Updated by usa (Usaku NAKAMURA) about 7 years ago

  • Assignee changed from usa (Usaku NAKAMURA) to windows

Updated by nobu (Nobuyoshi Nakada) about 7 years ago

  • Description updated (diff)
  • Status changed from Assigned to Closed

Seems already fixed in 2.0.0.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0