James,
On 5/9/25 1:49 PM, James H. H. Lampert wrote:
On 5/9/25 10:21 AM, Christopher Schultz wrote:
. . .
A lot of this comes from the fact that Tomcat is written in Java which
does not use null-terminated strings. A null byte in a string in Java
is not special in any way, and so it can't be used to prematurely
terminate a string that should otherwise be considered to be longer.
. . .
Hope that helps,
-chris
It does.
Given that Tomcat is in Java, and our webapp context (and presumably any
other webapp context that will run in Tomcat) is in Java, and null-
terminated strings are not a Java-native format, it sounds like the most
a null byte injection could do would be to (as Dr. McCoy once put it)
"take up knitting."
And if a rogue null byte somehow got past the webapp, and into the C
layer of the server for which our Tomcat webapp acts as a front-end, the
worst it could do would be to cause a child-server job to either abend
or lock up, which would be at most a minor nusiance.
I would indeed be slightly worried about the C layer of your server.
Is the C layer relatively small and/or has a small-ish interface exposed
to your Tomcat-hosted application? It's shockingly easy to check for
potentially poisonous null-bytes in Java strings before handing anything
off to the C layer that may be more error-prone.
So you can either have the C programmers review all their code (which I
would encourage) and/or you could have your Java programmers ensure
nothing potentially-nasty gets passed into the C code. Belt and suspenders.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
