Steve Langasek <[EMAIL PROTECTED]> writes: >> Since urlsnarf is usually used on a terminal to have a look at >> requested URLs in real-time, a malicious attacker could use >> requests with escape sequences to execute arbitrary code. > > By this reasoning, cat would have a grave bug for allowing users to > send untrusted files to the terminal without escaping.
Nah. urlsnarf is designed specifically to display URIs from HTTP requests out of sniffed network traffic, and there are various RfCs that define pretty well what characters in a URI are valid and what characters aren't. Comparing urlsnarf to cat does not make any sense. > If a terminal can be exploited to cause arbitrary code execution > through control sequences in a file being displayed, we should > consider this a bug in the terminal. It would _also_ be a bug in the terminal application. As a user of urlsnarf, I'd expect ASCII output that will not mess up my terminal in whatever way. By the way, since CVE-2003-0020, the Apache webserver has been doing the same log file sanitizing. > I don't see any reason that dsniff should be picked on here I am not picking on anything or anybody here, only trying to fix bugs where appropriate. -Hilko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]