On 12/27/18 8:51 AM, Niccolò Belli wrote:
> On mercoledì 26 dicembre 2018 13:38:28 CET, Frediano Ziglio wrote:
>> Yes, this looks like a format string error in the upper (not into
>> spice) layer.
>>
>> This potentially is a security problem.
>
> Considering the spice server is exposed to the internet this is
> definitely worth investigating.
>
>> The specific '%' character could be the issue, can you try others
>> ('!', '@' and
>> so on) ?
>
> I tried several other special characters and they all seems to work,
> expect for "Password&&" which gets converted to "Password&&" (if
> I type "Password&&" it works).Could it be related to this patch where our JSON code mishandles %? https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg00108.html -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature
