oss-sec mailing list archives
Re: CVE request: ruby file creation due in insertion of illegal NUL character
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Tue, 16 Oct 2012 11:51:42 -0400
On 10/16/2012 08:40 AM, Matthias Weckbecker wrote:
Technically, this would also apply to Perl (at least with 5.12.3).
It's also the case with perl 5.14.2 (just tested). :/ on the other hand, python and php seem to both have some sort of an internal check in place, so there's a difference of expectation somewhere: 0 dkg@pip:~$ python -c 'f = open("python\0foo"); f.write("test");' Traceback (most recent call last): File "<string>", line 1, in <module> TypeError: file() argument 1 must be encoded string without NULL bytes, not str 1 dkg@pip:~$ 0 dkg@pip:~$ echo | php -B 'if ($x = fopen("php\0foo", "w")) fwrite($x, "test");' PHP Warning: fopen() expects parameter 1 to be a valid path, string given in Command line begin code on line 1 0 dkg@pip:~$ hth, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: ruby file creation due in insertion of illegal NUL character Vincent Danen (Oct 12)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Kurt Seifried (Oct 13)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character U.Nakamura (Oct 15)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Matthias Weckbecker (Oct 16)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Daniel Kahn Gillmor (Oct 16)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Fabian Keil (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Matthias Weckbecker (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Kurt Seifried (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Simon McVittie (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Kurt Seifried (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Matthias Weckbecker (Oct 18)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Simon McVittie (Oct 18)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Daniel Kahn Gillmor (Oct 16)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Kurt Seifried (Oct 13)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Simon McVittie (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Eitan Adler (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Tim (Oct 17)