Arbitrary end of a string by using Nullbyte's symbol (Ruby 1.9.3p194)

A couple of days ago I was doing a dummy app using RoR 3.2.12 and ruby
1.9.3p194.. so after play with the params for a while i realized that
i'm able to skip the file extension by doing
'''
file="../../../../../etc/passwd\c0000"
@data= File.read('public/'+file+'.txt')
'''
just like the old PHP versions or some Java versions.. so I though it
was a RoR's bug. therefore I decided to report it with Aron Patterson
(from RoR sec-mailist ). who politely has helped me to figure out that
this is a bug in ruby *1.9.3p194* version.

The weirdest thing is that I've tested in older versions
(ruby-1.9.2-p320) getting a right outcome from my point of view [
ArgumentError (string contains null byte) ] but this one particularly
build skip that exception..

So my question should be.. Is there any particular reason why in version
of ruby *1.9.3p194* the "string contains null byte" exception is not
deployed?

thanks in advance!

Christian Yerena

Maybe because there are no null bytes in your example?

irb(main):012:0> file="../../../../../etc/passwd\c0000"
=> "../../../../../etc/passwd\u0010000"
irb(main):013:0> file.chars.to_a
=> [".", ".", "/", ".", ".", "/", ".", ".", "/", ".", ".", "/", ".",
".", "/", "e", "t", "c", "/", "p", "a", "s", "s", "w", "d", "\u0010",
"0", "0", "0"]
irb(main):014:0> file.chars.each {|c| p c}
"."
"."
"/"
"."
"."
"/"
"."
"."
"/"
"."
"."
"/"
"."
"."
"/"
"e"
"t"
"c"
"/"
"p"
"a"
"s"
"s"
"w"
"d"
"\u0010"
"0"
"0"
"0"
=> "../../../../../etc/passwd\u0010000"

Even if there were, this seems completely legal:

irb(main):015:0> s="a\0b"
=> "a\u0000b"
irb(main):016:0> s.length
=> 3
irb(main):017:0> s.bytesize
=> 3
irb(main):018:0> s.chars.to_a
=> ["a", "\u0000", "b"]

But maybe I'm not getting what your issue is.

Kind regards

robert

Robert Klemme wrote in post #1103402:

this is a bug in ruby *1.9.3p194* version.

The weirdest thing is that I've tested in older versions
(ruby-1.9.2-p320) getting a right outcome from my point of view [
ArgumentError (string contains null byte) ] but this one particularly
build skip that exception..

So my question should be.. Is there any particular reason why in version
of ruby *1.9.3p194* the "string contains null byte" exception is not
deployed?

Maybe because there are no null bytes in your example?

irb(main):012:0> file="../../../../../etc/passwd\c0000"
=> "../../../../../etc/passwd\u0010000"
irb(main):013:0> file.chars.to_a
=> [".", ".", "/", ".", ".", "/", ".", ".", "/", ".", ".", "/", ".",
".", "/", "e", "t", "c", "/", "p", "a", "s", "s", "w", "d", "\u0010",
"0", "0", "0"]
irb(main):014:0> file.chars.each {|c| p c}
"."
"."
"/"
"."
"."
"/"
"."
"."
"/"
"."
"."
"/"
"."
"."
"/"
"e"
"t"
"c"
"/"
"p"
"a"
"s"
"s"
"w"
"d"
"\u0010"
"0"
"0"
"0"
=> "../../../../../etc/passwd\u0010000"

Even if there were, this seems completely legal:

irb(main):015:0> s="a\0b"
=> "a\u0000b"
irb(main):016:0> s.length
=> 3
irb(main):017:0> s.bytesize
=> 3
irb(main):018:0> s.chars.to_a
=> ["a", "\u0000", "b"]

But maybe I'm not getting what your issue is.

Kind regards

robert

thanks about the note.. try it with "\0"

$ruby -v
ruby 1.9.3p194 (2012-04-20 revision 35410) [x86_64-darwin12.0.0]
$ irb
1.9.3-p194-perf :003 > file="../../../../../etc/passwd\0"
=> "../../../../../etc/passwd\u0000"
1.9.3-p194-perf :004 > @data= File.read('public/'+file+'.txt')
=> "##\n# User Database\n# \n# Note that this file is consulted
directly only when the system is running\n# in single-user mode. At
other times this information is provided by\n# Open Directory.\n#\n# See
the opendirectoryd(8) man page for additional information about\n# Open
Directory.\n##\nnobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin
"........

thanks in advance!

p194 is not the newest one. Maybe that version has a bug?

$ echo 111 >a
$ echo 222 >a.txt
$ ruby -e 'p File.read("a\0.txt")'
-e:1:in `read': string contains null byte (ArgumentError)
        from -e:1:in `<main>'
$ ruby -v
ruby 1.9.3p385 (2013-02-06 revision 39114) [i386-cygwin]

Cheers

robert