NULL handling inconsistent with Ruby
------------------------------------

                 Key: JRUBY-6247
                 URL: https://jira.codehaus.org/browse/JRUBY-6247
             Project: JRuby
          Issue Type: Bug
          Components: Standard Library
    Affects Versions: JRuby 1.6.5
            Reporter: meder
            Assignee: Thomas E Enebo


NULL handling in filenames is inconsistent with Ruby, which exposes JRuby apps 
to NULL injection attacks:

$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|ruby
-:1:in `initialize': string contains null byte (ArgumentError)
        from -:1:in `new'
        from -:1:in `<main>'


$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), 
"r").gets'|./jruby
"127.0.0.1\tlocalhost\n"



--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply via email to