IOW, fix the consumer (where the real bug is), not every producer.
On 13/09/2010 2:16 PM, Dossy Shiobara wrote:
Actually, someone made the point -- what if you log request *headers*
and someone puts a malicious byte sequence in that header? What's the
rule around escaping the header values? What about every other code
path where a remote user can write unfiltered bytes to a file on the
server (logfile, etc.).
Essentially, the vulnerability here isn't in applications that write
these bytes to files, but specific terminal applications that are weak
and should be fixed. Otherwise, "cat" is potentially "vulnerable" and
that's a ridiculous position to hold.
On 9/13/10 4:46 PM, Tom Jackson wrote:
Anyway, it is critical to examine and normalize the request uri asap
and act quickly when presented with invalid chars.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<lists...@listserv.aol.com> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
