Null-byte vulnerability
-----------------------
Key: JRUBY-4828
URL: http://jira.codehaus.org/browse/JRUBY-4828
Project: JRuby
Issue Type: Bug
Components: Core Classes/Modules
Affects Versions: JRuby 1.5, JRuby 1.4
Environment: Tested on x86-64 Linux and Intel Mac OS
Reporter: Kelvin Liu
[Charles Oliver Nutter asked me to file this after I emailed secur...@jruby]
JRuby allows null-bytes in some file operations. If the JVM doesn't check for
these (Sun's does not, even up to java 1.6), arbitrary files may be accessed by
an attacker. Tested versions: 1.4.0 and 1.5.0.
# Sample code:
def get_txt_by_name(name)
txtname=name+".txt"
File.exist?(txtname) or raise
File.read(txtname)
end
get_txt_by_name("/etc/passwd") # raises
get_txt_by_name("/etc/passwd\000") # returns contents of /etc/passwd
MRI protects against this by raising "ArgumentError: string contains null byte".
In MRI (I'm using ruby-enterprise), it looks like the protection happens when
functions in file.c call StringValueCStr, which is #define'd in ruby.h to be
rb_string_value_cstr, which is implemented in string.c. In the body of
rb_string_value_cstr you'll see the ArgumentError being raised.
It might be good to grep for StringValueCStr and rb_string_value_cstr. I see
references in io.c and process.c to name two.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
