Defect #44228
openUploading an attachment with a NUL byte in the filename causes an Internal Server Error
Description
Uploading an attachment with a filename that contains a NUL byte, for example hello%00world.txt via POST /uploads.json?filename=hello%00world.txt, raises an ArgumentError and results in an Internal Server Error. This issue was originally pointed out by Ali İhsan Barışman in #44227.
During attachment validation, Attachment#validate_file_extension calls File.extname(filename). Ruby raises ArgumentError: path name contains null byte when the filename contains \x00, causing Redmine to return an Internal Server Error instead of handling the input gracefully.
The attached patch fixes the issue by adding \x00 to the invalid character set used by Attachment#sanitize_filename, so filenames containing NUL bytes are normalized before validation. For example, hello\x00world.txt becomes hello_world.txt.
The same character set is also used when sanitizing archived wiki page filenames to keep the behavior consistent with Attachment#sanitize_filename.
Files
No data to display