From the Area51 proposal
3 Answers
Accordingly to the following resources:
we can conclude that Null Byte injections are possible in Java.
-
2As Dave Wichers' answer, this is historically correct for OpenJDK until 2013. Now fixed, that's not to say you shouldn't, say, whitelist characters in filenames. – Tom Hawtin - tackline Sep 12 '14 at 17:44
-
It's "according to" ... anything below a 6 character edit won't go through though. So perhaps someone seeing this comment will fix it and flag my comment for deletion. Thanks. – 0xC0000022L May 24 '20 at 18:47
Null byte injection depends on a mismatch in the way that strings are handled.
e.g. Java stores the length of the string independently of the content of the string, while C starts at the beginning of the string and checks for a Null Byte to indicate the end of the string.
As a result, Java code can perform checks like "does the file requested end with .jsp" on a string like "/etc/shadow%00.jsp" (where %00 represents the null byte), and return true, while passing this string to "new FileInputStream()" will result in the underlying OS (both Windows and Linux) trying to open "/etc/shadow".
(Relevance of trying to open /etc/shadow on Windows is left as an exercize for the reader :-) )
![](../../users/profiles/240.webp)
- 445
- 2
- 4
Null byte injection in filenames was fixed in Java 7 update 40 (released around Sept. 2013), https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 . So, its FINALLY fixed.
![](../../users/profiles/12779.webp)
- 103
- 4
![](../../users/profiles/55314.webp)
- 71
- 1
- 1
-
1Wow, thanks for the update Dave. Can you provide a link, and some more technical details? – AviD Sep 11 '14 at 08:11
-
@AviD Do you want to change the accepted answer? http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 – Tom Hawtin - tackline Sep 12 '14 at 17:49
-
1