Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL handling inconsistent with Ruby #2357

headius opened this Issue Dec 29, 2014 · 3 comments


None yet
4 participants
Copy link

headius commented Dec 29, 2014


NULL handling in filenames is inconsistent with Ruby, which exposes JRuby apps to NULL injection attacks:

$ echo 'require "uri"; p"/etc/hosts%00"), "r").gets'|ruby
-:1:in `initialize': string contains null byte (ArgumentError)
    from -:1:in `new'
    from -:1:in `<main>'

$ echo 'require "uri"; p"/etc/hosts%00"), "r").gets'|./jruby

This comment has been minimized.

Copy link

lumeet commented Feb 11, 2015

Didn't notice this one before but it seems to fixed by #2583, too.


This comment has been minimized.

Copy link

enebo commented Feb 11, 2015

@lumeet I guess to solve this we need fixes for jruby-1_7 as well.


This comment has been minimized.

Copy link

mkristian commented Apr 13, 2015

f41b6d9 cherry-picks #2583 into jruby-1_7 and adds missing bits from StringSupport from master.

@mkristian mkristian closed this Apr 13, 2015

@enebo enebo added this to the milestone Apr 28, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.