12 Oct '12, 12pm

Unintentional file creation caused by inserting an illegal NUL character (CVE-2012-4522)

Unintentional file creation caused by inserting a illegal NUL character A vulnerability was found that file creation routines can create unintended files by strategically inserting NUL(s) in file paths. Details Ruby can handle arbitrary binary patterns as Strings, including NUL chars. On the other hand OSes and other libraries tend not. They usually treat a NUL as an End of String mark. So to interface them with Ruby, NUL chars should properly be avoided. However methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines. This led to create unintentional files like this: p File.exists?("foo") #=> false open("foo\0bar", "w") { |f| f.puts "hai" } p File.exists?("foo") #=> true p File.exists?("foo\0bar") #=> raises ArgumentError Affected versions All Ruby 1.9.3 prior tp patchlevel 286 All development branches of Ruby ...

Full article: http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-...

Tweets

2hb new - A:John F Ashton T:In Six Days-Why 50 ...

secondhandbooks.com.sg 15 Oct '12, 7am

SHOW ALL Animals, Nature 54 Architecture, Design 82 Art, Photography 105 Biographies 334 Business, Finance 793 Collecting ...

Object-Oriented file importing and parsing

robots.thoughtbot.com 11 Oct '12, 1pm

October 11, 2012 Comments (View) Object-Oriented file importing and parsing The following is an example of file importing ...

これ、言語の脆弱性として扱うんですね。Perlにも同様の問題があって、情報処理技術者試験のセキ...

ruby-lang.org 12 Oct '12, 9pm

p File.exists?("foo") #=> false open("foo\0bar", "w") { |f| f.puts "hai" } p File.exists?("foo") #=> true p File.exists?("...

Ruby 1.9.3-p286 is released

ruby-lang.org 12 Oct '12, 11am

Ruby 1.9.3-p286 is released. This release includes some security fixes, and other many bug fixes. $SAFE escaping vulnerabi...

[at]include hoge が +hogeで展開できるのか。.sassいいな。惰性的に....

sass-lang.com 14 Oct '12, 9am

Whether an error in the Sass code should cause Sass to provide a detailed description within the generated CSS file. If se...