\0 (just for fun)

An amusing Discourse bug:

In my email notifications from the thread Convenient null-terminated string literals, all of the code samples have the string \0 (or for anyone reading this by email, backslash zero) replaced with the string %{email_content}. But only in the HTML version, not the plaintext version.

I suppose the Ruby code responsible for formatting email notifications is suffering from this issue.

Just for fun, let's see how this behaves.

\0 - \1 - \2 - \3 - \4 - \` - \'

\0 - \1 - \2 - \3 - \4 - ` - '

\0 - \1 - \2 - \3 - \4 - \` - \'

\\0 - \\1 - \\2 - \\3 - \\4 - \\` - \\'

_{For some reason, this reminds me of all those "Dear %FIRST_NAME%, this is a personal message just for you" mass recruitment emails.}

Is this a security issue? Untrusted input causing unexpected behavior concerns me...

I doubt it's likely a security issue itself, but it is theoretically an exposure of information that shouldn't be exposed.

The worst I could think of happening (without another chained exploit) is some sort of DoS if some sort of exposed replacement is exploitable for increasing post size.

The linked issue shows the following replacement options:

\& (the entire regex)
\+ (the last group)
\` (pre-match string)
\' (post-match string)
\0 (same as \&)
\1 (first captured group)
\2 (second captured group)
\\ (a backslash)

& - + - ` - ' - \0 - \1 - \2 - \

My guess, though, based on @comex's results, is it's got something like "%{email_content}".gsub( "%{email_content}", email_content ) (which seems redundant, but pre-match and post-match are showing up empty, soo

(I don't know Ruby)

Maybe billion laughs style attack to overflow into somewhere you shouldn't be? I don't know ruby either, so I don't know if this style of attack is feasible or not...

You might want to raise this on the Discourse Discourse.

Posted.