Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL handling inconsistent with Ruby #2357

Closed
headius opened this Issue Dec 29, 2014 · 3 comments

Comments

Projects
None yet
4 participants
@headius
Copy link
Member

headius commented Dec 29, 2014

From http://jira.codehaus.org/browse/JRUBY-6247

NULL handling in filenames is inconsistent with Ruby, which exposes JRuby apps to NULL injection attacks:

$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|ruby
-:1:in `initialize': string contains null byte (ArgumentError)
    from -:1:in `new'
    from -:1:in `<main>'

$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|./jruby
"127.0.0.1\tlocalhost\n"
@lumeet

This comment has been minimized.

Copy link
Contributor

lumeet commented Feb 11, 2015

Didn't notice this one before but it seems to fixed by #2583, too.

@enebo

This comment has been minimized.

Copy link
Member

enebo commented Feb 11, 2015

@lumeet I guess to solve this we need fixes for jruby-1_7 as well.

@mkristian

This comment has been minimized.

Copy link
Member

mkristian commented Apr 13, 2015

f41b6d9 cherry-picks #2583 into jruby-1_7 and adds missing bits from StringSupport from master.

@mkristian mkristian closed this Apr 13, 2015

@enebo enebo added this to the 9.0.0.0.pre2 milestone Apr 28, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.