JRuby

Iconv.conv leaks information

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: JRuby 1.2
  • Fix Version/s: None
  • Component/s: Extensions
  • Labels:
    None
  • Environment:
    # uname -a
    Linux notebook 2.6.29-4GB #1 SMP PREEMPT Sat Mar 28 01:54:40 CET 2009 i686 i686 i386 GNU/Linux
    # jruby --version
    jruby 1.2.0 (ruby 1.8.6 patchlevel 287) (2009-04-03 rev 6586) [i386-java]
  • Number of attachments :
    0

Description

Execute this ruby code:

require 'iconv'; puts Iconv.conv("iso-8859-1","utf-8","hidden:foo\xA0bar".split(':')[1])

What should happen should be either an output of
"foo�bar"
or an error message
Iconv::IllegalSequence: "\240bar"

However, the output is:

"hidden:foo�bar"

This means that not only the answer is wrong, but also that characters which are not part of the string "foo�bar" (but which used to be somehow "near" to this string in some input) are actually leaking. Thus, input filtering is not working, which is a security issue.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Charles Oliver Nutter added a comment -

So this is an iconv bug, right? Moving off Java Integration component to Extensions.

Show
Charles Oliver Nutter added a comment - So this is an iconv bug, right? Moving off Java Integration component to Extensions.
Hide
Permalink
Diego Plentz added a comment -

Working here in jruby 1.6.7. Can be closed.

mri 1.9.3 output

~/Projects/opensource/jruby_report (master) $ ruby bla.rb 
/Users/plentz/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead.
bla.rb:1:in `conv': "\xA0bar" (Iconv::IllegalSequence)
	from bla.rb:1:in `<main>'

jruby 1.6.7 output:

~/Projects/opensource/jruby_report (master) $ ruby bla.rb 
Iconv::IllegalSequence: foo bar
   iconv at org/jruby/RubyIconv.java:284
   iconv at org/jruby/RubyIconv.java:256
    conv at org/jruby/RubyIconv.java:391
  (root) at bla.rb:1
Show
Diego Plentz added a comment - Working here in jruby 1.6.7. Can be closed. mri 1.9.3 output ~/Projects/opensource/jruby_report (master) $ ruby bla.rb /Users/plentz/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require': iconv will be deprecated in the future , use String #encode instead. bla.rb:1:in `conv': "\xA0bar" (Iconv::IllegalSequence) from bla.rb:1:in `<main>' jruby 1.6.7 output: ~/Projects/opensource/jruby_report (master) $ ruby bla.rb Iconv::IllegalSequence: foo bar iconv at org/jruby/RubyIconv.java:284 iconv at org/jruby/RubyIconv.java:256 conv at org/jruby/RubyIconv.java:391 (root) at bla.rb:1
Hide
Permalink
Charles Oliver Nutter added a comment -

Marking as fixed based on user feedback.

Show
Charles Oliver Nutter added a comment - Marking as fixed based on user feedback.

People

  • Assignee:
    Charles Oliver Nutter
    Reporter:
    Xuân Baldauf
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: