[jira] [Work logged] (IO-484) FilenameUtils should handle embedded null bytes

Tue, 07 Dec 2021 10:37:04 -0800 


     [ 
https://issues.apache.org/jira/browse/IO-484?focusedWorklogId=691958&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-691958
 ]

ASF GitHub Bot logged work on IO-484:
-------------------------------------

                Author: ASF GitHub Bot
            Created on: 07/Dec/21 18:36
            Start Date: 07/Dec/21 18:36
    Worklog Time Spent: 10m 
      Work Description: Marcono1234 opened a new pull request #310:
URL: https://github.com/apache/commons-io/pull/310


   During the development of 
[IO-484](https://issues.apache.org/jira/browse/IO-484) the behavior was first 
to remove null bytes (afe78a030b57e3f74825e134d6615ef4878778cc) but then later 
the implementation was changed to throw an exception instead 
(5d072ef89fbc2532f621a5a0b4d6791cb926a997).
   However, not the complete documentation was adjusted.
   
   This pull request corrects the documentation by mentioning that an 
`IllegalArgumentException` will be thrown for null bytes.
   
   However, there are cases where the null bytes check is missing, or might be 
undesired. I have added TODO comments at these locations. Please let me know if 
you want any additional changes there.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 691958)
    Remaining Estimate: 0h
            Time Spent: 10m

> FilenameUtils should handle embedded null bytes
> -----------------------------------------------
>
>                 Key: IO-484
>                 URL: https://issues.apache.org/jira/browse/IO-484
>             Project: Commons IO
>          Issue Type: Bug
>          Components: Utilities
>    Affects Versions: 2.4
>            Reporter: Kristian Rosenvold
>            Assignee: Kristian Rosenvold
>            Priority: Major
>             Fix For: 2.5
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> embedding nulls in filenames exposes injection vectors if the application 
> passes unsanitized data to some functions in FileNameUtils



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to