realpath() security issue, potential fix

David Faure faure at
Mon Aug 9 20:21:54 BST 2004

On Tuesday 03 August 2004 22:43, Michael Pyne wrote:
> Hi all,
> I was reading the man pages for realpath(3), which is a function to resolve
> all symlinks within the given path, and they include a rather explicit
> warning that programmers shouldn't use the function anymore.
Ouch, indeed.

> Unfortunately, 
> they don't recommend an alternative function to use either, and after quite a
> bit of Googling, I wasn't able to find a suggested alternative online.  One
> site seemed to suggest that if the input path was less than MAX_PATH
> characters long that realpath was safe, but that seemed to be against the
> general consensus.
Common sense would indicate that it's the _output_ path that has to be
allocated to MAX_PATH characters....

> I know of at least one KDE application that uses realpath(3)
Actually they all do, via KStandardDirs.

Anyway.... doesn't QDir::canonicalPath() do this already?

And I submitted recently a request for QFile[Info]::canonicalPath() to get
a convenience method doing the same for files, and TT said they would
think about including it in qt4.

> P.S. I tried attaching the file last time I e-mailed -core-devel, but KMail
> turned the whole message into an attachment an the message got dropped.
You put the mail in the drafts folder temporarily, right? I had that bug too, but
I couldn't reproduce it :(

David Faure, faure at, sponsored by Trolltech to work on KDE,
Konqueror (, and KOffice (

More information about the kde-core-devel mailing list