Review Request for JDK-8003992: File and other classes in java.io do not handle embedded nulls properly
Florian Weimer
fweimer at redhat.com
Sun Mar 3 20:00:34 UTC 2013
On 02/27/2013 01:15 PM, Alan Bateman wrote:
> On 27/02/2013 12:07, Peter Levart wrote:
>>
>> What does a FileInputStream for example do when trying to open a File
>> with embedded NUL chars on UNIX/Windows ? Does it try to open a
>> "truncated" path? If so, then perhaps "normalize" could do that
>> beforehand...
> Yes, it's truncated. Dan's fix covers FileInputStream and friends too as
> they go through the normalize code.
You should throw an exception. Embedded NUL characters have been used
to bypass security checks. The canonical example is an upload to a web
server directory. You check that the file ends with ".jpg", so it won't
be interpreted by the web server, but the full extension is actually
".php\000.jpg", so you end up writing a ".php" file, which is.
Furthermore, dropping the NUL character is *extremely* dangerous because
it could be used to bypass security checks which look for ".." to
prevent directory traversal attacks.
--
Florian Weimer / Red Hat Product Security Team
More information about the core-libs-dev
mailing list