With jruby 1.7.17 (and going back at least to 1.7.6 and probably longer), Regexp.union  in ruby 1.8 mode gives // instead of /(?!)/. In ruby 1.9 mode, it gives /(?!)/. MRI 1.8.7 behavior is /(?!)/. So instead of the regexp matching nothing, this bug makes the regexp match everything.
While not a security vulnerability itself, this can potentially cause security vulnerabilities, if the result of the Regexp.union  call is being used as a whitelist filter.
The text was updated successfully, but these errors were encountered: