[jruby-dev] [jira] Created: (JRUBY-6247) NULL handling inconsistent with Ruby

meder (JIRA) Sun, 04 Dec 2011 19:26:47 -0800

NULL handling inconsistent with Ruby
------------------------------------

                 Key: JRUBY-6247
                 URL: https://jira.codehaus.org/browse/JRUBY-6247
             Project: JRuby
          Issue Type: Bug
          Components: Standard Library
    Affects Versions: JRuby 1.6.5
            Reporter: meder
            Assignee: Thomas E Enebo



NULL handling in filenames is inconsistent with Ruby, which exposes JRuby apps 
to NULL injection attacks:

$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|ruby
-:1:in `initialize': string contains null byte (ArgumentError)
        from -:1:in `new'
        from -:1:in `<main>'


$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), 
"r").gets'|./jruby
"127.0.0.1\tlocalhost\n"



--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

[jruby-dev] [jira] Created: (JRUBY-6247) NULL handling inconsistent with Ruby

Reply via email to