In my email notifications from the thread Convenient null-terminated string literals, all of the code samples have the string \0 (or for anyone reading this by email, backslash zero) replaced with the string %{email_content}. But only in the HTML version, not the plaintext version.
I suppose the Ruby code responsible for formatting email notifications is suffering from this issue.
I doubt it's likely a security issue itself, but it is theoretically an exposure of information that shouldn't be exposed.
The worst I could think of happening (without another chained exploit) is some sort of DoS if some sort of exposed replacement is exploitable for increasing post size.
The linked issue shows the following replacement options:
\& (the entire regex)
\+ (the last group)
\` (pre-match string)
\' (post-match string)
\0 (same as \&)
\1 (first captured group)
\2 (second captured group)
\\ (a backslash)
& - + - ` - ' - \0 - \1 - \2 - \
My guess, though, based on @comex's results, is it's got something like "%{email_content}".gsub( "%{email_content}", email_content ) (which seems redundant, but pre-match and post-match are showing up empty, soo
Maybe billion laughs style attack to overflow into somewhere you shouldn't be? I don't know ruby either, so I don't know if this style of attack is feasible or not...