why don't you guys agree to disagree and STUF? On 10/8/07, Geo. <[EMAIL PROTECTED]> wrote: > ----- Original Message ----- > From: "Glynn Clements" <[EMAIL PROTECTED]> > > > URIs which it passes to an external handler (e.g. mailto:), it only > > needs to identify the scheme (to select the correct handler); it is > > the handler's responsibility to validate its own URIs (i.e. mail > > programs need to validate mailto: URIs). > > I don't agree. Whatever program takes input from an untrusted source, it's > that programs duty to sanitize the input before passing it on to internal > components. It's like a firewall, you filter before it gets inside the > system. > > Example, an ftp server has to sanitize filenames to prevent useage of > streams on NTFS, you don't blame the filesystem that the input gets passed > to, it's the job of the ftp server to do the sanitizing of untrusted input. > > Geo. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/