---
engine: ruby
cve: 2019-15845
url: https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
title: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
date: 2019-10-01
description: |
  Built-in methods File.fnmatch and its alias File.fnmatch? accept the path
  pattern as their first parameter. When the pattern contains NUL character
  (\0), the methods recognize that the path pattern ends immediately before the
  NUL byte. Therefore, a script that uses an external input as the pattern
  argument, an attacker can make it wrongly match a pathname that is the second
  parameter.
patched_versions:
  - "~> 2.4.8"
  - "~> 2.5.7"
  - "~> 2.6.5"
  - "> 2.7.0-preview1"