oss-sec mailing list archives
Re: CVE request: ruby file creation due in insertion of illegal NUL character
From: Matthias Weckbecker <mweckbecker () suse de>
Date: Thu, 18 Oct 2012 12:51:39 +0200
On Wednesday 17 October 2012 20:14:22 Simon McVittie wrote: [...]
For Perl, one possibility would be to continue to treat an input of "foo\0" as equivalent to "foo" (so that you can use "./ foo \0" to mean " foo ", as documented), but disallow NULs anywhere except the last position.
Although this is a very elegant solution it's on the other hand probably not trivially implemented, because NUL is mostly treated as the end of a string. Simply reading beyond it to check whether there is something else that might need to be taken into account will likely result in more work for Kurt. ;-)
S
Matthias -- Matthias Weckbecker, Senior Security Engineer, SUSE Security Team SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany Tel: +49-911-74053-0; http://suse.com/ SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg)
Current thread:
- CVE request: ruby file creation due in insertion of illegal NUL character Vincent Danen (Oct 12)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Kurt Seifried (Oct 13)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character U.Nakamura (Oct 15)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Matthias Weckbecker (Oct 16)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Daniel Kahn Gillmor (Oct 16)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Fabian Keil (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Matthias Weckbecker (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Kurt Seifried (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Simon McVittie (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Kurt Seifried (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Matthias Weckbecker (Oct 18)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Simon McVittie (Oct 18)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Daniel Kahn Gillmor (Oct 16)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Kurt Seifried (Oct 13)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Simon McVittie (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Eitan Adler (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Tim (Oct 17)