Index: en/security/filesystem.xml
===================================================================
RCS file: /repository/phpdoc/en/security/filesystem.xml,v
retrieving revision 1.4
diff -u -r1.4 filesystem.xml
--- en/security/filesystem.xml	17 Apr 2007 16:31:00 -0000	1.4
+++ en/security/filesystem.xml	24 Apr 2007 19:51:41 -0000
@@ -144,6 +144,58 @@
     reason, it's usually easier to create a policy where you forbid
     everything except for what you explicitly allow.
    </para>
+   <sect1 id="security.filesystem.nullbytes">
+    <title>Null bytes related issues</title>
+    <simpara>
+     As PHP uses the underlying C functions for filesystem related
+     operations, it may handle null bytes in a quite unexpected way.
+     As null bytes denote the end of a string in C, strings containing them 
+     won't be considered entirely but rather only until a null byte occurs.
+
+     The following example shows a vulnerable code that demonstrates this problem:
+    </simpara>
+    <example>
+     <title>Script vulnerable to null bytes</title>
+     <programlisting role="php">
+<![CDATA[
+<?php
+$file = $_GET['file']; // "../../etc/passwd\0"
+if (file_exists('/home/wwwrun/'.$file.'.php')) {
+    // file_exists will return true as the file /home/wwwrun/../../etc/passwd exists
+    include '/home/wwwrun/'.$file.'.php';
+    // the file /etc/passwd will be included
+}
+?>
+]]>
+     </programlisting>
+    </example>
+    <para>
+     Therefore, any tainted string that is used in a filesystem operation should always
+     be validated properly. Here is a better version of the previous example:
+    </para>
+    <example>
+     <title>Correctly validating the input</title>
+     <programlisting role="php">
+<![CDATA[
+<?php
+$file = $_GET['file']; 
+
+// Whitelisting possible values
+switch ($file) {
+    case 'main':
+    case 'foo':
+    case 'bar':
+        include '/home/wwwrun/include/'.$file.'.php';
+        break;
+    default:
+        include '/home/wwwrun/include/main.php';
+}
+?>
+]]>
+     </programlisting>
+    </example>
+   </sect1>
+
   </chapter>
 
 <!-- Keep this comment at the end of the file