Re: Passing (poison) nulls in cookies

[Pavel Kankovsky <peak () argo troja mff cuni cz>]

On Mon, 14 May 2001, Max Vision wrote:

> Since no one answered this I thought I'd share what I know about it.  It 
> looks like the show-stopper is indeed with environment variables.  You can 
> send nulls in cookies and it doesn't appear that apache does anything to 
> filter them.  However perl uses a bash-type shell by default, which to the 
> best of my understanding will always truncate an environment variable on a 
> null.

Bash or "bash environment" is not involved when CGI programs are invoked
(unless the program in question is a script interpreted by bash). What is
involved is execve() system call: its specification says the environment
is a list of zero-terminated strings, ergo no string including '\0' can
ever be passed via an environment variable to another program.

> Here was what I saw:
>
>   bash,zsh: truncates at the null, "hi\x00there" becomes "hi"
>   csh,tcsh: converts null to space, "hi\x00there" becomes "hi there"
>   ash,ksh: removes the null, "hi\x00there" becomes "hithere"

The results of your tests are interesting but irrelevant unless the
value is read from an open file descriptor.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."