Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ENV#[]=: Disallow null bytes in key and value #5216

Merged
merged 1 commit into from
Nov 1, 2017
Merged

ENV#[]=: Disallow null bytes in key and value #5216

merged 1 commit into from
Nov 1, 2017

Conversation

Papierkorb
Copy link
Contributor

Make ENV#[]= raise an ArgumentError if key or value contain a NUL byte.

Before this, a call to ENV[k] = v would not check for NUL-bytes.
setenv(3) would then take the key and value, and as it doesn't know
about the embedded NUL-byte(s) in the key and/or value, would truncate
at the NUL-byte.

This may not sound too terrible at first. But it can turn into a
security issue:

from_user = "DO-SOMETHING-BAD\0GOOD" # Received from user input
if from_user.ends_with?("GOOD") # Will match
  ENV["FOO"] = from_user # Will set "FOO" to "DO-SOMETHING-BAD"
end

Truncating user input is a real issue, with exploitation in the wild: https://mathiasbynens.be/notes/mysql-utf8mb4

Regards,
Korb

@Papierkorb
ENV#[]=: Disallow null bytes in key and value
81a4c29 
Before this, a call to `ENV[k] = v` would not check for NUL-bytes.
`setenv(3)` would then take the key and value, and as it doesn't know
about the embedded NUL-byte(s) in the key and/or value, would truncate
at the NUL-byte.

This may not sound too terrible at first.  But it can turn into a
security issue:

```cr
from_user = "DO-SOMETHING-BAD\0GOOD" # Received from user input
if from_user.ends_with?("GOOD") # Will match
  ENV["FOO"] = from_user # Will set "FOO" to "DO-SOMETHING-BAD"
end
```
asterite
asterite requested changes Oct 31, 2017
View reviewed changes
src/env.cr
def self.[]=(key : String, value : String?)
raise ArgumentError.new("Key contains null byte") if key.byte_index(0)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can simply do key.check_no_null_byte

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same applies to value, of course

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I had that at first, but then chose to tell if the key or the value is the culprit

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooooh... makes sense!

@asterite asterite added kind:bug A bug in the code. Does not apply to documentation, specs, etc. topic:stdlib labels Nov 1, 2017
@asterite asterite added this to the Next milestone Nov 1, 2017
@asterite asterite merged commit 99c3d2b into crystal-lang:master Nov 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asterite asterite asterite approved these changes

@RX14 RX14 RX14 approved these changes

Assignees
No one assigned
Labels
kind:bug A bug in the code. Does not apply to documentation, specs, etc. topic:stdlib
Projects
None yet
Milestone
0.24.1
Development

Successfully merging this pull request may close these issues.
3 participants
@Papierkorb @asterite @RX14