Review Request for JDK-8003992: File and other classes in java.io do not handle embedded nulls properly

Florian Weimer fweimer at redhat.com
Sun Mar 3 20:00:34 UTC 2013


On 02/27/2013 01:15 PM, Alan Bateman wrote:
> On 27/02/2013 12:07, Peter Levart wrote:
>>
>> What does a FileInputStream for example do when trying to open a File
>> with embedded NUL chars on UNIX/Windows ? Does it try to open a
>> "truncated" path? If so, then perhaps "normalize" could do that
>> beforehand...

> Yes, it's truncated. Dan's fix covers FileInputStream and friends too as
> they go through the normalize code.

You should throw an exception.  Embedded NUL characters have been used 
to bypass security checks.  The canonical example is an upload to a web 
server directory.  You check that the file ends with ".jpg", so it won't 
be interpreted by the web server, but the full extension is actually 
".php\000.jpg", so you end up writing a ".php" file, which is.

Furthermore, dropping the NUL character is *extremely* dangerous because 
it could be used to bypass security checks which look for ".." to 
prevent directory traversal attacks.

-- 
Florian Weimer / Red Hat Product Security Team



More information about the core-libs-dev mailing list