Bug #3337
closed
MS-DOS device names are identified as readable_real
Description
Special MS-DOS filenames return true from a call to File.readable_real? and File.file?. This exposes certain popular projects to a denial of service on the Windows platform.
irb(main):007:0> File.readable_real?("AUX")
=> true
Modifying File.file? and File.readable_real? to return false for MS-DOS device names will allow standard tests for static files to avoid MS-DOS names. The regular express below can be used to match against known MS-DOS names and should be inclusive, however a second set of eyes would be great.
/\/(CON|PRN|AUX|NUL|COM1|COM2|COM3|COM4|COM5|COM6|COM7|COM8|COM9|LPT1|LPT2|LPT3|LPT4|LPT5|LPT6|LPT7|LPT8|LPT9)([\.\/]|$)/i
If you need information on the specific projects affected by this bug, please contact me via email
Updated by coatl (caleb clausen) over 14 years ago
I'm not certain that the above list is complete. Among other things, windows allows programs to define their own ms-dos device names using DefineDosDevice. It might be better (at least on windows) to query the system for the list of currently defined device names.
It appears that windows ce allows device names which begin with $device or $bus.
Also, I'm puzzled by the fact that you require a / at the beginning of the device name, and allow . or / at the end. Microsoft's documentation only mentions allowing a : at the end.
I think this might be a better regexp to use (wince devices still not checked here, tho):
%r{\A(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])([./:]?\z)}i
relevant pages on MSDN:
INFO: Understanding Device Names and Symbolic Links
http://support.microsoft.com/kb/235128
Defining an MS-DOS Device Name
http://msdn.microsoft.com/en-us/library/aa363908(VS.85).aspx
DefineDosDevice Function
http://msdn.microsoft.com/en-us/library/aa363904(VS.85).aspx
Device File Names (for windows ce)
http://msdn.microsoft.com/en-us/library/aa447463.aspx
QueryDosDevice Function (can return a list of known devices???)
http://msdn.microsoft.com/en-us/library/aa365461(v=VS.85).aspx
Updated by mame (Yusuke Endoh) over 14 years ago
- Assignee set to usa (Usaku NAKAMURA)
- Priority changed from Normal to 3
- Target version set to 2.0.0
Hi,
According to Usaku, it is difficult to fix this issue.
According to Usaku, QueryDosDevice cannot be used. It determines
some device files (such as CON) as normal file.
At least, we won't fix this issue in 1.9.2 release.
I change the target to 1.9.x and priority to Low.
Blame windows!
--
Yusuke Endoh mame@tsg.ne.jp
Updated by hdm (HD Moore) over 14 years ago
Responding to Caleb: the regex is being used to monkeypatch an application server, the leading / is because the regex is matching an incoming request, not the raw filename, and I should have clarified in the initial report.
It does seem a sticky problem to solve, but it may be possible to combine the known-bad blacklist with QueryDosDevice (.ex: CON will always be a console). I am not sure how frequently DefineDosDevice is actually used, so just filtering a known blacklist may go a long way in the short term.
Updated by usa (Usaku NAKAMURA) over 14 years ago
- Status changed from Open to Assigned
Updated by usa (Usaku NAKAMURA) about 12 years ago
- Description updated (diff)
- Target version changed from 2.0.0 to 2.6
Updated by usa (Usaku NAKAMURA) about 7 years ago
- Assignee changed from usa (Usaku NAKAMURA) to windows
Updated by nobu (Nobuyoshi Nakada) about 7 years ago
- Description updated (diff)
- Status changed from Assigned to Closed
Seems already fixed in 2.0.0.