Review Request for JDK-8003992: File and other classes in do not handle embedded nulls properly

Alan Bateman Alan.Bateman at
Sun Mar 3 21:01:04 UTC 2013

On 03/03/2013 20:00, Florian Weimer wrote:
> You check that the file ends with ".jpg", so it won't be interpreted 
> by the web server, but the full extension is actually ".php\000.jpg", 
> so you end up writing a ".php" file, which is.
The application have have the path String ".php\000.jpg" but when you 
create the file (with FileOutputStream or other APIs) then it would be 
".php.jpg". Another potential approach is to just fail when attempting 
to create the file but changing File's constructor to throw an exception 
would be an incompatible change.


More information about the core-libs-dev mailing list