-
Notifications
You must be signed in to change notification settings - Fork 329
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Could the :string type accepts Ruby Strings with null bytes, or an alternative type accept them? #1081
Comments
@eregon unintentional string data with \0 is one of the largest sources of CVEs in the world. Also probably the largest cause of CVEs for MRI. From FFI? I am not sure as I don't remember one but I would be extremely hesitant about assuming people are processing |
Mmh, right. So just allowing it seems not a good solution. Maybe we should have a way to specify if |
Existing workarounds for this are to manually use a MemoryPointer. |
@eregon I am only against changing string. If there is some way of making the memory pointer use cases easier then I think it is a good idea. I am not the gatekeeper of FFI APIs though 😄. I was just concerned about security issues of changing string. If you come up with something more specific then open up a new PR and the folks who tend to triage FFI issues more can chime in. I will close this and when/if you open something we can reference this issue for background. |
From oracle/truffleruby#3293 (comment)
Related to #1080
:pointer
is not great because it forces the passed Ruby String to use native memory, or copies before & after the native call.:string
avoids this but currently forbids null bytes:https://github.com/ffi/ffi/wiki/Types#types mentions
:string
asBut if there is a \0 in the middle it's still NULL-terminated from C's point of view.
Also C code can take a
const char *string, size_t length
for instance and deal with \0 bytes in the middle.So I think we should remove that check because it's not really necessary for safety and it prevents using
:string
where it matters to avoid extra copying.The only advantage of the check I see is it could catch an unintentional String with a \0 in it passed to FFI, and this could matter if the C code uses strlen() or similar on it. But having it at the cost of not allowing valid usages seems not worth.
The text was updated successfully, but these errors were encountered: