Add unsound `const-cstr` #1613

oherrala · 2023-02-20T11:46:26Z

const-cstr is crate by @abonander who has archived bunch of his Rust crates in GitHub.

See communication attempts on other crates:

Nugine · 2023-03-06T05:23:54Z

Alternatives:

pinkforest · 2023-03-12T09:45:18Z

btw const_cstr doesn't check for any interior nul bytes

Both the constructor and the canonical macro allows this:

const_cstr! {
    FOO = "\u{0}💖\u{0}";
}

let foo = FOO.as_cstr();

This violates the safety contract of ffi::CStr::from_bytes_with_nul_unchecked that is used in as_cstr()

Also because unicode(tm) vs bytes - as_str goes:

"\x00\xf0\x9f\x92\x96\x00" vs ConstCStr { val: "\0💖\0" }

pinkforest · 2023-03-12T10:12:46Z

Ok I've filled the advisory with some details - please check if anything missed. Thanks

crates/const-cstr/RUSTSEC-0000-0000.md

oherrala · 2023-03-12T11:07:32Z

Add unmaintained advisory for const-cstr

dcc1e85

oherrala mentioned this pull request Feb 20, 2023

buf_redux might be unmaintained #1602

Closed

pinkforest added 2 commits March 12, 2023 21:09

Fill advisory

ac277e8

Adjust date

6dffaef

pinkforest added Unsound Informational / Unsound Unmaintained Informational / Unmaintained Propose-Merge Propose-Merge labels Mar 12, 2023

pinkforest changed the title ~~Add unmaintained advisory for const-cstr~~ Add unsound const-cstr Mar 12, 2023

Nugine reviewed Mar 12, 2023

View reviewed changes

crates/const-cstr/RUSTSEC-0000-0000.md Outdated Show resolved Hide resolved

Fix typo

11af0e7

pinkforest merged commit 5c42175 into rustsec:main Mar 12, 2023

Provide feedback