Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL handling inconsistent with Ruby #2357

Closed
headius opened this issue Dec 29, 2014 · 3 comments
Closed

NULL handling inconsistent with Ruby #2357

headius opened this issue Dec 29, 2014 · 3 comments

Comments

@headius
Copy link
Member

@headius headius commented Dec 29, 2014

From http://jira.codehaus.org/browse/JRUBY-6247

NULL handling in filenames is inconsistent with Ruby, which exposes JRuby apps to NULL injection attacks:

$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|ruby
-:1:in `initialize': string contains null byte (ArgumentError)
    from -:1:in `new'
    from -:1:in `<main>'

$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|./jruby
"127.0.0.1\tlocalhost\n"
@lumeet
Copy link
Contributor

@lumeet lumeet commented Feb 11, 2015

Didn't notice this one before but it seems to fixed by #2583, too.

@enebo
Copy link
Member

@enebo enebo commented Feb 11, 2015

@lumeet I guess to solve this we need fixes for jruby-1_7 as well.

@mkristian
Copy link
Member

@mkristian mkristian commented Apr 13, 2015

f41b6d9 cherry-picks #2583 into jruby-1_7 and adds missing bits from StringSupport from master.

@mkristian mkristian closed this Apr 13, 2015
@enebo enebo added this to the 9.0.0.0.pre2 milestone Apr 28, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants