Nice real world example of the poison null byte attack.
For those who don't know what a null byte attack is, that's where you pass in an http request that turns into a string that explicitly encodes a null byte, \0 at the end. So you insert something like subsection=/../../../../../../../../../../../../../../../../etc/passwd%00. Now the code in the application tries to append something like .txt because "how bad could a .txt file be", and it arrives in C land as "/../../../../../../../../../../../../../../../../etc/passwd\0.txt\0" and C thinks that the string ends at the first \0 and doesn't pay any attention to the .txt bit.
This is a good example of why your escaping mechanism should always be "allow only what is explicitly known to be safe" rather than "block what is known to be unsafe". Because you have no idea what unsafe things there are that you don't know about.
After mangling a number string operations (and the program memory space) when first learning C I realized how terrible they could be. If I can mistakenly destroy my memory space, what would a malicious mind do with such a thing?
For those who don't know what a null byte attack is, that's where you pass in an http request that turns into a string that explicitly encodes a null byte, \0 at the end. So you insert something like subsection=/../../../../../../../../../../../../../../../../etc/passwd%00. Now the code in the application tries to append something like .txt because "how bad could a .txt file be", and it arrives in C land as "/../../../../../../../../../../../../../../../../etc/passwd\0.txt\0" and C thinks that the string ends at the first \0 and doesn't pay any attention to the .txt bit.
This is a good example of why your escaping mechanism should always be "allow only what is explicitly known to be safe" rather than "block what is known to be unsafe". Because you have no idea what unsafe things there are that you don't know about.