Subject: | $NO_NULL security issue |
The filter used to remove null bytes will only remove null byte "\000".
Perl also interprets a null byte as "\0", "\00" and with the filter
url_decode(); the null byte "%00" gets decoded. The setting $NO_NULL
can be hacked.
An example:
my $value = "Test 1-\011-\n\n" . "Test 2-\015\012-\n\n"; # safe stuff
$value .= "Test 3-\0-\00-\000-%00-\n\n"; # add-in Null Bytes
# send variable $value to CGI::Simple for parsing
#$value = CGI::Simple::url_decode($value); # used to decode "%00"
print $value;