Panic if PathBuf::set_extension would add a path separator

This is likely never intended and potentially a security vulnerability if it happens. I'd guess that it's mostly literal strings that are passed to this function in practice, so I'm guessing this doesn't break anyone. CC #125060
2024-05-13 14:22:45 +02:00 · 2024-05-13 14:22:45 +02:00 · 700b3ea61b
commit 700b3ea61b
parent 6be7b0c7d2
2 changed files with 36 additions and 0 deletions
--- a/library/std/src/path.rs
+++ b/library/std/src/path.rs
@ -1425,6 +1425,11 @@ fn _set_file_name(&mut self, file_name: &OsStr) {
    /// If `extension` is the empty string, [`self.extension`] will be [`None`]
    /// afterwards, not `Some("")`.
    ///
+    /// # Panics
+    ///
+    /// Panics if the passed extension contains a path separator (see
+    /// [`is_separator`]).
+    ///
    /// # Caveats
    ///
    /// The new `extension` may contain dots and will be used in its entirety,
@ -1470,6 +1475,14 @@ pub fn set_extension<S: AsRef<OsStr>>(&mut self, extension: S) -> bool {
    }

    fn _set_extension(&mut self, extension: &OsStr) -> bool {
+        for &b in extension.as_encoded_bytes() {
+            if b < 128 {
+                if is_separator(b as char) {
+                    panic!("extension cannot contain path separators: {:?}", extension);
+                }
+            }
+        }
+
        let file_stem = match self.file_stem() {
            None => return false,
            Some(f) => f.as_encoded_bytes(),
--- a/library/std/src/path/tests.rs
+++ b/library/std/src/path/tests.rs
@ -1803,6 +1803,29 @@ macro_rules! unchanged(
    assert_eq!(absolute(r"COM1").unwrap().as_os_str(), Path::new(r"\\.\COM1").as_os_str());
 }

+#[test]
+#[should_panic = "path separator"]
+fn test_extension_path_sep() {
+    let mut path = PathBuf::from("path/to/file");
+    path.set_extension("d/../../../../../etc/passwd");
+}
+
+#[test]
+#[should_panic = "path separator"]
+#[cfg(windows)]
+fn test_extension_path_sep_alternate() {
+    let mut path = PathBuf::from("path/to/file");
+    path.set_extension("d\\test");
+}
+
+#[test]
+#[cfg(not(windows))]
+fn test_extension_path_sep_alternate() {
+    let mut path = PathBuf::from("path/to/file");
+    path.set_extension("d\\test");
+    assert_eq!(path, Path::new("path/to/file.d\\test"));
+}
+
 #[bench]
 #[cfg_attr(miri, ignore)] // Miri isn't fast...
 fn bench_path_cmp_fast_path_buf_sort(b: &mut test::Bencher) {