Review Request for JDK-8003992: File and other classes in java.io do not handle embedded nulls properly (original) (raw)
Florian Weimer fweimer at redhat.com
Sun Mar 3 20:00:34 UTC 2013
- Previous message: Review Request: BigInteger patch for efficient multiplication and division (#4837946)
- Next message: Review Request for JDK-8003992: File and other classes in java.io do not handle embedded nulls properly
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 02/27/2013 01:15 PM, Alan Bateman wrote:
On 27/02/2013 12:07, Peter Levart wrote:
What does a FileInputStream for example do when trying to open a File with embedded NUL chars on UNIX/Windows ? Does it try to open a "truncated" path? If so, then perhaps "normalize" could do that beforehand...
Yes, it's truncated. Dan's fix covers FileInputStream and friends too as they go through the normalize code.
You should throw an exception. Embedded NUL characters have been used to bypass security checks. The canonical example is an upload to a web server directory. You check that the file ends with ".jpg", so it won't be interpreted by the web server, but the full extension is actually ".php\000.jpg", so you end up writing a ".php" file, which is.
Furthermore, dropping the NUL character is extremely dangerous because it could be used to bypass security checks which look for ".." to prevent directory traversal attacks.
-- Florian Weimer / Red Hat Product Security Team
- Previous message: Review Request: BigInteger patch for efficient multiplication and division (#4837946)
- Next message: Review Request for JDK-8003992: File and other classes in java.io do not handle embedded nulls properly
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]