Review Request for JDK-8003992: File and other classes in java.io do not handle embedded nulls properly
Florian Weimer
fweimer at redhat.com
Sun Mar 3 21:12:57 UTC 2013
On 03/03/2013 10:01 PM, Alan Bateman wrote:
> On 03/03/2013 20:00, Florian Weimer wrote:
>> You check that the file ends with ".jpg", so it won't be interpreted
>> by the web server, but the full extension is actually ".php\000.jpg",
>> so you end up writing a ".php" file, which is.
> The application have have the path String ".php\000.jpg" but when you
> create the file (with FileOutputStream or other APIs) then it would be
> ".php.jpg".
Yes, that's the behavior with dropping, and it does help in this case.
(I was arguing against truncation.) But dropping is unsafe, too, as I
described in the second paragraph of my message.
> Another potential approach is to just fail when attempting
> to create the file
I think this is what's required. It's what Python has been doing for
some time.
> but changing File's constructor to throw an exception
> would be an incompatible change.
I completely agree. I think I've written code myself which relies on
the File(String) constructor not looking at the contents of the string. 8-/
--
Florian Weimer / Red Hat Product Security Team
More information about the core-libs-dev
mailing list