Date: Tue, 16 Oct 2012 11:51:42 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: oss-security@...ts.openwall.com Subject: Re: CVE request: ruby file creation due in insertion of illegal NUL character On 10/16/2012 08:40 AM, Matthias Weckbecker wrote: > Technically, this would also apply to Perl (at least with 5.12.3). It's also the case with perl 5.14.2 (just tested). :/ on the other hand, python and php seem to both have some sort of an internal check in place, so there's a difference of expectation somewhere: 0 dkg@pip:~$ python -c 'f = open("python\0foo"); f.write("test");' Traceback (most recent call last): File "<string>", line 1, in <module> TypeError: file() argument 1 must be encoded string without NULL bytes, not str 1 dkg@pip:~$ 0 dkg@pip:~$ echo | php -B 'if ($x = fopen("php\0foo", "w")) fwrite($x, "test");' PHP Warning: fopen() expects parameter 1 to be a valid path, string given in Command line begin code on line 1 0 dkg@pip:~$ hth, --dkg Download attachment "signature.asc" of type "application/pgp-signature" (1031 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.