Summary
library/std/src/sys/paths/uefi.rs join_paths rejects segments containing ; (PATHS_SEP) but does not reject segments containing interior wide 0. Joined Path-style values are later treated as C-style wide strings for the UEFI Shell Path variable; an embedded NUL truncates the variable at the first zero unit.
Windows join_paths has the same class of fix (reject 0 / quote / separator).
Origin
Audit of external-input trust boundaries in std (env path joining / platform string helpers), SebTardif/rust fork of rust-lang/rust.
Affected code (upstream tip at audit time)
https://github.com/rust-lang/rust/blob/f28ac764c36/library/std/src/sys/paths/uefi.rs#L79-L100
let v = path.as_ref().encode_wide().collect::<Vec<u16>>();
if v.contains(&PATHS_SEP) {
return Err(JoinPathsError);
}
joined.extend_from_slice(&v);Suggested fix
If v.contains(&0), return JoinPathsError. Update Display to mention interior NUL (alongside ;).
Impact
Low. UEFI is a specialty target; callers must pass OsStr segments with embedded NULs. Misbehavior is truncated PATH-style env strings.
Related
Summary
library/std/src/sys/paths/uefi.rsjoin_pathsrejects segments containing;(PATHS_SEP) but does not reject segments containing interior wide0. Joined Path-style values are later treated as C-style wide strings for the UEFI Shell Path variable; an embedded NUL truncates the variable at the first zero unit.Windows
join_pathshas the same class of fix (reject0/ quote / separator).Origin
Audit of external-input trust boundaries in
std(env path joining / platform string helpers), SebTardif/rust fork of rust-lang/rust.Affected code (upstream tip at audit time)
https://github.com/rust-lang/rust/blob/f28ac764c36/library/std/src/sys/paths/uefi.rs#L79-L100
Suggested fix
If
v.contains(&0), returnJoinPathsError. UpdateDisplayto mention interior NUL (alongside;).Impact
Low. UEFI is a specialty target; callers must pass
OsStrsegments with embedded NULs. Misbehavior is truncatedPATH-style env strings.Related