NULL handling inconsistent with Ruby ------------------------------------ Key: JRUBY-6247 URL: https://jira.codehaus.org/browse/JRUBY-6247 Project: JRuby Issue Type: Bug Components: Standard Library Affects Versions: JRuby 1.6.5 Reporter: meder Assignee: Thomas E Enebo
NULL handling in filenames is inconsistent with Ruby, which exposes JRuby apps to NULL injection attacks: $ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|ruby -:1:in `initialize': string contains null byte (ArgumentError) from -:1:in `new' from -:1:in `<main>' $ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|./jruby "127.0.0.1\tlocalhost\n" -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email