%00 causes server error

Replies are listed 'Best First'.
Re: %00 causes server error by Cirollo (Friar) on Jul 24, 2001 at 17:39 UTC
Perhaps it has something to do with the issue discussed at CGI Security and the null byte problem? Basically, that node says that if you let a null byte (%00) hit a shell, when it gets passed through the C underpinnings of Perl, the C ignores everything after it (since strings in C are null terminated). Maybe Perlmonks ignores any URI with a null byte in it for that security reason? Although, I imagine that the E2 code is well written enough that it wouldn't be very easy to hit the shell with user input.	[reply]
(tye)Re: %00 causes server error by tye (Sage) on Jul 25, 2001 at 01:02 UTC
You don't need a shell for a nul to be a security problem. See (tye)Re: CGI OO 'param' vs. hash. As for the PerlMonks issue, I don't see a whole lot of point in having nul bytes in PM URLs be treated nicely. I doubt they can be supported in the underlying database so they have no use so why shouldn't they give you a useless page? So long as they are detected and prevented from doing damage, I'm happy (I'm not sure that they are being detected but it certainly could be that the nul detector just dies and that triggers the 500 error, which is fine with me). - tye (but my friends call me "Tye")	[reply]
Re: Re: %00 causes server error by Anonymous Monk on Jul 24, 2001 at 17:44 UTC
I know what the null byte is and what it does. I'd be suprised if the "code" in question didn't "disallow" the null byte in the query string. It is an easy fix, and I'm really suprised vroom's baby goes into error 500 mode because of it. I know for a fact that vroom is aware of the null byte and all (if not most) of it's implications :)	[reply]


We don't bite newbies here... much
	PerlMonks