[jira] [Work logged] (IO-484) FilenameUtils should handle embedded null bytes

Wed, 26 Jan 2022 05:06:39 -0800 


     [ 
https://issues.apache.org/jira/browse/IO-484?focusedWorklogId=715661&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-715661
 ]

ASF GitHub Bot logged work on IO-484:
-------------------------------------

                Author: ASF GitHub Bot
            Created on: 26/Jan/22 13:05
            Start Date: 26/Jan/22 13:05
    Worklog Time Spent: 10m 
      Work Description: Marcono1234 commented on pull request #310:
URL: https://github.com/apache/commons-io/pull/310#issuecomment-1022178476


   Ok, I have removed the comments now. Here are the issues the TODO comments 
were about, in case you or someone else wants to have a look at them in the 
future:
   
   - `doGetFullPath(String, boolean)`: In some cases does not call (indirectly) 
`requireNonNullChars`
   - `equals(String, String, boolean, IOCase)`: Normalization can throw 
`IllegalArgumentException` when file names contain null characters. Currently 
not documented, but not clear what the desired behavior is. Should exception be 
caught and `false` be returned? If exception should not be caught, then 
exception has to be documented, also for callers of this method. And should 
`fileName2` then always be validated as well? Currently if normalization is 
requested but `fileName1` is `null`, `fileName2` is not checked for null 
characters.
   - `getExtension(String)`: Does not call `requireNonNullChars`
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 715661)
    Time Spent: 1.5h  (was: 1h 20m)

> FilenameUtils should handle embedded null bytes
> -----------------------------------------------
>
>                 Key: IO-484
>                 URL: https://issues.apache.org/jira/browse/IO-484
>             Project: Commons IO
>          Issue Type: Bug
>          Components: Utilities
>    Affects Versions: 2.4
>            Reporter: Kristian Rosenvold
>            Assignee: Kristian Rosenvold
>            Priority: Major
>             Fix For: 2.5
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> embedding nulls in filenames exposes injection vectors if the application 
> passes unsanitized data to some functions in FileNameUtils



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to