realpath() security issue, potential fix

[Michael Pyne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I was reading the man pages for realpath(3), which is a function to resolve 
all symlinks within the given path, and they include a rather explicit 
warning that programmers shouldn't use the function anymore.  Unfortunately, 
they don't recommend an alternative function to use either, and after quite a 
bit of Googling, I wasn't able to find a suggested alternative online.  One 
site seemed to suggest that if the input path was less than MAX_PATH 
characters long that realpath was safe, but that seemed to be against the 
general consensus.

I know of at least one KDE application that uses realpath(3), so I coded a 
function using Qt functions to avoid buffer overflows, which is at 
http://grammarian.homelinux.net/~kde-cvs/realpath-replacement.cpp .  It 
is obviously too late to get this in for 3.3, but perhaps something like this 
would be useful for 3.4/4.0 to have in kdelibs?

I would appreciate any advice you have on the implementation and/or 
feasibility for use in KDE.

Regards,
 - Michael Pyne

P.S. I tried attaching the file last time I e-mailed -core-devel, but KMail 
turned the whole message into an attachment an the message got dropped.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBD/kCqjQYp5Omm0oRAlRJAKCkyzQDTnaKwPYugUHecF6gYF+vngCgwLZc
A2EaGcXSSHRZ2PvKKy/eY9s=
=0oUh
-----END PGP SIGNATURE-----