With jruby 1.7.17 (and going back at least to 1.7.6 and probably longer), Regexp.union [] in ruby 1.8 mode gives // instead of /(?!)/. In ruby 1.9 mode, it gives /(?!)/. MRI 1.8.7 behavior is /(?!)/. So instead of the regexp matching nothing, this bug makes the regexp match everything.
While not a security vulnerability itself, this can potentially cause security vulnerabilities, if the result of the Regexp.union [] call is being used as a whitelist filter.
The text was updated successfully, but these errors were encountered:
With jruby 1.7.17 (and going back at least to 1.7.6 and probably longer),
Regexp.union []
in ruby 1.8 mode gives//
instead of/(?!)/
. In ruby 1.9 mode, it gives/(?!)/
. MRI 1.8.7 behavior is/(?!)/
. So instead of the regexp matching nothing, this bug makes the regexp match everything.While not a security vulnerability itself, this can potentially cause security vulnerabilities, if the result of the
Regexp.union []
call is being used as a whitelist filter.The text was updated successfully, but these errors were encountered: