Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xcb: Soundness issue with base::Error #575

Merged
merged 1 commit into from
Jan 18, 2021
Merged

xcb: Soundness issue with base::Error #575

merged 1 commit into from
Jan 18, 2021

Conversation

Qwaz
Copy link
Contributor

@Qwaz Qwaz commented Jan 18, 2021

@Shnatsel
Copy link
Member

Thanks!

@Shnatsel Shnatsel merged commit 9804ecc into rustsec:master Jan 18, 2021
@psychon
Copy link
Contributor

psychon commented Jan 23, 2021

Sorry for highjacking this PR, but I do not think this warrants a separate issue/PR.
I am exaggerating, but almost all of xcb is unsafe. Here are some examples that are easier to trigger accidentally than what this PR is about:

@psychon
Copy link
Contributor

psychon commented Jan 23, 2021
edited
Loading

I'm not looking for these on purpose. I am just reading some code /(edit: some code using xcb, not the source code of xcb itself) and wonder "why doesn't this return a Result?". This one is is a call to std::str::from_utf8_unchecked with a comment next to it saying "should we check what comes from X?". Yes, you should, and you should not simply assume that the data is fine.
https://github.com/rtbo/rust-xcb/issues/96

(Side note: X11 atoms are specified to use latin1)

@Shnatsel
Copy link
Member

@psychon thank your for investigating the xcb crate and reporting the issues upstream! Could you add a bit more detail to the upstream report - that atoms are specified to use latin1, what exactly is the problem with the current approach, and what should be done instead? I am not sure the issue is actionable for the maintainers as-is.

@psychon
Copy link
Contributor

psychon commented Jan 23, 2021

Done, I hope. I also improved my other report there slightly, explaining that bool can only have values 0 and 1.

I am not sure the issue is actionable for the maintainers as-is.

Well, according to its README, I would think that the xcb crate is unmaintained. At its very top:

Maintainance request

I've been very happy to work on this project, but I don't have the possibility anymore to maintain these bindings to the level the Rust community deserves. I can't spend as much time on it as I used to, and I'm not using neither Rust nor XCB anymore, so I clearly can't improve the bindings with the latest Rust features. Person with motivation and good knowledge of Rust and XCB may contact me per email.

@Shnatsel Shnatsel mentioned this pull request Jan 23, 2021
Closed
@Qwaz Qwaz deleted the 0063-xcb branch February 3, 2021 16:10
@psychon psychon mentioned this pull request Feb 4, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Qwaz @Shnatsel @psychon