Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL handling inconsistent with Ruby #2357

Closed
headius opened this issue Dec 29, 2014 · 3 comments
Closed

NULL handling inconsistent with Ruby #2357

headius opened this issue Dec 29, 2014 · 3 comments
Assignees
@mkristian
Labels
JRuby 1.7.x JRuby 9000
Milestone
JRuby 9.0.0.0.pre2

Comments

@headius
Copy link
Member

headius commented Dec 29, 2014

From http://jira.codehaus.org/browse/JRUBY-6247

NULL handling in filenames is inconsistent with Ruby, which exposes JRuby apps to NULL injection attacks:

$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|ruby
-:1:in `initialize': string contains null byte (ArgumentError)
    from -:1:in `new'
    from -:1:in `<main>'

$ echo 'require "uri"; p File.new(URI.decode("/etc/hosts%00"), "r").gets'|./jruby
"127.0.0.1\tlocalhost\n"
@lumeet
Copy link
Contributor

lumeet commented Feb 11, 2015

Didn't notice this one before but it seems to fixed by #2583, too.

@enebo
Copy link
Member

enebo commented Feb 11, 2015

@lumeet I guess to solve this we need fixes for jruby-1_7 as well.

@mkristian
Copy link
Member

f41b6d9 cherry-picks #2583 into jruby-1_7 and adds missing bits from StringSupport from master.

@enebo enebo added this to the 9.0.0.0.pre2 milestone Apr 28, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mkristian mkristian

Labels
JRuby 1.7.x JRuby 9000
Projects
None yet
Milestone
JRuby 9.0.0.0.pre2
Development

No branches or pull requests
4 participants
@headius @enebo @mkristian @lumeet