Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

%00 causes server error

by Anonymous Monk
on Jul 24, 2001 at 17:00 UTC ( #99311=monkdiscuss: print w/replies, xml ) Need Help??

putting %00 anywhere in the url for the perlmonks website causes an the server error/NodeReaper page to be displayed.

Is this a bug in the e2 code, or just the perlmonks additions?

is this worth fixing?

Replies are listed 'Best First'.
Re: %00 causes server error
by Cirollo (Friar) on Jul 24, 2001 at 17:39 UTC
    Perhaps it has something to do with the issue discussed at CGI Security and the null byte problem? Basically, that node says that if you let a null byte (%00) hit a shell, when it gets passed through the C underpinnings of Perl, the C ignores everything after it (since strings in C are null terminated).

    Maybe Perlmonks ignores any URI with a null byte in it for that security reason? Although, I imagine that the E2 code is well written enough that it wouldn't be very easy to hit the shell with user input.

      You don't need a shell for a nul to be a security problem. See (tye)Re: CGI OO 'param' vs. hash.

      As for the PerlMonks issue, I don't see a whole lot of point in having nul bytes in PM URLs be treated nicely. I doubt they can be supported in the underlying database so they have no use so why shouldn't they give you a useless page?

      So long as they are detected and prevented from doing damage, I'm happy (I'm not sure that they are being detected but it certainly could be that the nul detector just dies and that triggers the 500 error, which is fine with me).

              - tye (but my friends call me "Tye")
      I know what the null byte is and what it does. I'd be suprised if the "code" in question didn't "disallow" the null byte in the query string.

      It is an easy fix, and I'm really suprised vroom's baby goes into error 500 mode because of it.

      I know for a fact that vroom is aware of the null byte and all (if not most) of it's implications :)

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: monkdiscuss [id://99311]
Approved by root
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (7)
As of 2023-02-09 08:14 GMT
Find Nodes?
    Voting Booth?
    I prefer not to run the latest version of Perl because:

    Results (44 votes). Check out past polls.