Is null-byte injection possible in Java filenames?

Accordingly to the following resources:

• Null byte attacks are alive and well
• Null Byte Injection
• Java Null Byte injections

we can conclude that Null Byte injections are possible in Java.

Null byte injection depends on a mismatch in the way that strings are handled.

e.g. Java stores the length of the string independently of the content of the string, while C starts at the beginning of the string and checks for a Null Byte to indicate the end of the string.

As a result, Java code can perform checks like "does the file requested end with .jsp" on a string like "/etc/shadow%00.jsp" (where %00 represents the null byte), and return true, while passing this string to "new FileInputStream()" will result in the underlying OS (both Windows and Linux) trying to open "/etc/shadow".

(Relevance of trying to open /etc/shadow on Windows is left as an exercize for the reader :-) )

Null byte injection in filenames was fixed in Java 7 update 40 (released around Sept. 2013), https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 . So, its FINALLY fixed.