Review Request for JDK-8003992: File and other classes in do not handle embedded nulls properly

Florian Weimer fweimer at
Sun Mar 3 21:12:57 UTC 2013

On 03/03/2013 10:01 PM, Alan Bateman wrote:
> On 03/03/2013 20:00, Florian Weimer wrote:
>> You check that the file ends with ".jpg", so it won't be interpreted
>> by the web server, but the full extension is actually ".php\000.jpg",
>> so you end up writing a ".php" file, which is.

> The application have have the path String ".php\000.jpg" but when you
> create the file (with FileOutputStream or other APIs) then it would be
> ".php.jpg".

Yes, that's the behavior with dropping, and it does help in this case. 
(I was arguing against truncation.)  But dropping is unsafe, too, as I 
described in the second paragraph of my message.

 > Another potential approach is to just fail when attempting
> to create the file

I think this is what's required.  It's what Python has been doing for 
some time.

 > but changing File's constructor to throw an exception
> would be an incompatible change.

I completely agree.  I think I've written code myself which relies on 
the File(String) constructor not looking at the contents of the string. 8-/

Florian Weimer / Red Hat Product Security Team

More information about the core-libs-dev mailing list