realpath() security issue, potential fix

Michael Pyne pynm0001 at
Tue Aug 3 21:43:46 BST 2004

Hash: SHA1

Hi all,

I was reading the man pages for realpath(3), which is a function to resolve 
all symlinks within the given path, and they include a rather explicit 
warning that programmers shouldn't use the function anymore.  Unfortunately, 
they don't recommend an alternative function to use either, and after quite a 
bit of Googling, I wasn't able to find a suggested alternative online.  One 
site seemed to suggest that if the input path was less than MAX_PATH 
characters long that realpath was safe, but that seemed to be against the 
general consensus.

I know of at least one KDE application that uses realpath(3), so I coded a 
function using Qt functions to avoid buffer overflows, which is at .  It 
is obviously too late to get this in for 3.3, but perhaps something like this 
would be useful for 3.4/4.0 to have in kdelibs?

I would appreciate any advice you have on the implementation and/or 
feasibility for use in KDE.

 - Michael Pyne

P.S. I tried attaching the file last time I e-mailed -core-devel, but KMail 
turned the whole message into an attachment an the message got dropped.
Version: GnuPG v1.2.4 (GNU/Linux)


More information about the kde-core-devel mailing list