oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: ruby file creation due in insertion of illegal NUL character

From: Fabian Keil <freebsd-listen () fabiankeil de>
Date: Wed, 17 Oct 2012 11:44:35 +0200
Daniel Kahn Gillmor <dkg () fifthhorseman net> wrote:


On 10/16/2012 08:40 AM, Matthias Weckbecker wrote:

Technically, this would also apply to Perl (at least with 5.12.3). 


It's also the case with perl 5.14.2 (just tested). :/


At least for Perl I consider this a feature.

The NUL byte is a special character and allows trailing white
space in the filename that is otherwise stripped. This is
(more or less) documented in perlopentut(1).

It also seems unlikely that someone adds NUL bytes to the
white list of acceptable characters by accident, and if there
is no white list in the first place, the Perl script probably
has bigger issues.

Fabian

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: