[Mono-bugs] [Bug 464128] char* should be in ANSI encoding when passed to C runtime rather than Unicode

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Wed Oct 13 13:08:49 EDT 2010 

https://bugzilla.novell.com/show_bug.cgi?id=464128

https://bugzilla.novell.com/show_bug.cgi?id=464128#c4


Jonathan Pryor <jpryor at novell.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jpryor at novell.com

--- Comment #4 from Jonathan Pryor <jpryor at novell.com> 2010-10-13 17:08:47 UTC ---
I'm guessing, but I think the issue is this:

Consider Mono.Unix.Native.Stdlib.fopen():

    [DllImport (LIBC, CallingConvention=CallingConvention.Cdecl, 
            SetLastError=true)]
    public static extern IntPtr fopen (
        [MarshalAs (UnmanagedType.CustomMarshaler, 
                    MarshalTypeRef=typeof(FileNameMarshaler))]
        string path, string mode);

Note: LIBC will be MSVCRT.DLL on Windows.

There are two ways to consider the above.  First, if we ignore the
CustomMarshaler use on the 'path' value, .NET and Mono will do two different
things when marshaling the 'path' string.  .NET will convert 'path' into the
ANSI encoding, while Mono will convert to UTF-8.

Thus, if you did Stdlib.fopen("filename-containing-unicode-characters"), two
different strings would be passed to MSVCRT.DLL!fopen, resulting in...confusion
at best, and some form of error at worst.

Though I'd love to know what EXACTLY could go wrong here.  I imagine it could
result in fopen() returning NULL for filenames containing invalid characters
for the current ANSI locale (meaning users won't be able to read files they'd
otherwise be able to read), but perhaps there's an actual security
vulnerability here?  I don't know.

If we consider the use of the CustomMarshaler, things get worse: with the
custom marshaler use, the default string marshaling is IGNORED, and thus UTF-8
strings will be generated even when running on .NET.

Oops.

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the mono-bugs mailing list