Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
NULL handling in filenames is inconsistent with Ruby, which exposes JRuby apps to NULL injection attacks:
$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|ruby
-:1:in `initialize': string contains null byte (ArgumentError)
from -:1:in `new'
from -:1:in `<main>'
$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|./jruby
The text was updated successfully, but these errors were encountered:
Didn't notice this one before but it seems to fixed by #2583, too.
Sorry, something went wrong.
@lumeet I guess to solve this we need fixes for jruby-1_7 as well.
f41b6d9 cherry-picks #2583 into jruby-1_7 and adds missing bits from StringSupport from master.
No branches or pull requests