Iconv.conv leaks information
----------------------------
Key: JRUBY-3728
URL: http://jira.codehaus.org/browse/JRUBY-3728
Project: JRuby
Issue Type: Bug
Components: Java Integration
Affects Versions: JRuby 1.2
Environment: # uname -a
Linux notebook 2.6.29-4GB #1 SMP PREEMPT Sat Mar 28 01:54:40 CET 2009 i686 i686
i386 GNU/Linux
# jruby --version
jruby 1.2.0 (ruby 1.8.6 patchlevel 287) (2009-04-03 rev 6586) [i386-java]
Reporter: Xuân Baldauf
Execute this ruby code:
require 'iconv'; puts
Iconv.conv("iso-8859-1","utf-8","hidden:foo\xA0bar".split(':')[1])
What should happen should be either an output of
"foo�bar"
or an error message
Iconv::IllegalSequence: "\240bar"
However, the output is:
"hidden:foo�bar"
This means that not only the answer is wrong, but also that characters which
are not part of the string "foo�bar" (but which used to be somehow
"near" to this string in some input) are actually leaking. Thus, input
filtering is not working, which is a security issue.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
