On 5/9/25 10:21 AM, Christopher Schultz wrote:
. . .
A lot of this comes from the fact that Tomcat is written in Java which
does not use null-terminated strings. A null byte in a string in Java is
not special in any way, and so it can't be used to prematurely terminate
a string that should otherwise be considered to be longer.
. . .
Hope that helps,
-chris
It does.
Given that Tomcat is in Java, and our webapp context (and presumably any
other webapp context that will run in Tomcat) is in Java, and
null-terminated strings are not a Java-native format, it sounds like the
most a null byte injection could do would be to (as Dr. McCoy once put
it) "take up knitting."
And if a rogue null byte somehow got past the webapp, and into the C
layer of the server for which our Tomcat webapp acts as a front-end, the
worst it could do would be to cause a child-server job to either abend
or lock up, which would be at most a minor nusiance.
Thanks.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
