Project

General

Profile

Actions

Defect #44228

open

Uploading an attachment with a NUL byte in the filename causes an Internal Server Error

Added by Go MAEDA 2 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Attachments
Resolution:
Affected version:

Description

Uploading an attachment with a filename that contains a NUL byte, for example hello%00world.txt via POST /uploads.json?filename=hello%00world.txt, raises an ArgumentError and results in an Internal Server Error. This issue was originally pointed out by Ali İhsan Barışman in #44227.

During attachment validation, Attachment#validate_file_extension calls File.extname(filename). Ruby raises ArgumentError: path name contains null byte when the filename contains \x00, causing Redmine to return an Internal Server Error instead of handling the input gracefully.

The attached patch fixes the issue by adding \x00 to the invalid character set used by Attachment#sanitize_filename, so filenames containing NUL bytes are normalized before validation. For example, hello\x00world.txt becomes hello_world.txt.

The same character set is also used when sanitizing archived wiki page filenames to keep the behavior consistent with Attachment#sanitize_filename.


Files

No data to display

Actions

Also available in: Atom PDF