oss-sec mailing list archives
Re: CVE request: ruby file creation due in insertion of illegal NUL character
From: Eitan Adler <lists () eitanadler com>
Date: Wed, 17 Oct 2012 13:39:18 -0400
On 17 October 2012 13:31, Simon McVittie <smcv () debian org> wrote:
As you imply, that pseudocode is a bad idea anyway: the webapp should be ensuring that the filenames match a pattern more like /^[A-Za-z0-9_]\.jpg$/ (or not allowing user-controlled filenames at all), and/or the web server should be configured so it never trusts files in the uploads directory (either as executable code or something like .htaccess).
Anything vulnerable to this sort of trickery is probably vulnerable to file-overwriting attacks via "../" path segments, too.
What if they ensure this sort of safety via some other mechanism? (chroot for example) What if they take the file name to be "anything after the final /" ? I could see some instances, albeit contrived, where an application might be vulnerable to this sort of attack, but not vulnerable to generic path traversal. -- Eitan Adler
Current thread:
- Re: CVE request: ruby file creation due in insertion of illegal NUL character, (continued)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Matthias Weckbecker (Oct 16)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Daniel Kahn Gillmor (Oct 16)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Fabian Keil (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Matthias Weckbecker (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Kurt Seifried (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Simon McVittie (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Kurt Seifried (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Matthias Weckbecker (Oct 18)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Simon McVittie (Oct 18)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Daniel Kahn Gillmor (Oct 16)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Matthias Weckbecker (Oct 16)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Simon McVittie (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Eitan Adler (Oct 17)
- Re: CVE request: ruby file creation due in insertion of illegal NUL character Tim (Oct 17)