Review Request for JDK-8003992: File and other classes in java.io do not handle embedded nulls properly
Alan Bateman
Alan.Bateman at oracle.com
Sun Mar 3 21:01:04 UTC 2013
On 03/03/2013 20:00, Florian Weimer wrote:
> You check that the file ends with ".jpg", so it won't be interpreted
> by the web server, but the full extension is actually ".php\000.jpg",
> so you end up writing a ".php" file, which is.
The application have have the path String ".php\000.jpg" but when you
create the file (with FileOutputStream or other APIs) then it would be
".php.jpg". Another potential approach is to just fail when attempting
to create the file but changing File's constructor to throw an exception
would be an incompatible change.
-Alan
More information about the core-libs-dev
mailing list