On Thu, Jan 7, 2010 at 12:13 PM, Dumitru Daniliuc wrote:
> in addition to these standard functions, we'd like to whitelist some
>> functions from a few extensions chromium uses:
>> full text search (fts2.c): whitelist snippet(), offsets(), optimize(), but
>> not fts2_tokenizer().
>> unicode data
On Thu, Jan 7, 2010 at 11:13 AM, Adam Barth wrote:
> On Thu, Jan 7, 2010 at 10:02 AM, Brady Eidson wrote:
> > Are random() and randomblob() security risks? Could you point us to a
> > source explaining this?
>
> They're fairly low risk, but you tend to leak a surprising amount of
> information
>
> in addition to these standard functions, we'd like to whitelist some
> functions from a few extensions chromium uses:
> full text search (fts2.c): whitelist snippet(), offsets(), optimize(), but
> not fts2_tokenizer().
> unicode data (icu.c): whitelist regexp(), lower(), upper(), like(), but no
On Thu, Jan 7, 2010 at 10:02 AM, Brady Eidson wrote:
> Are random() and randomblob() security risks? Could you point us to a
> source explaining this?
They're fairly low risk, but you tend to leak a surprising amount of
information when you expose non-cryptographic random sources to
attackers.
On Thu, Jan 7, 2010 at 10:02 AM, Brady Eidson wrote:
>
> On Jan 6, 2010, at 2:55 PM, Dumitru Daniliuc wrote:
>
> while doing a security review of chromium's implementation of HTML5 DBs,
> chris noted that some sqlite functions are potential security risks. thus,
> we would like to blacklist them
On Jan 6, 2010, at 2:55 PM, Dumitru Daniliuc wrote:
> while doing a security review of chromium's implementation of HTML5 DBs,
> chris noted that some sqlite functions are potential security risks. thus, we
> would like to blacklist them (or rather, have a list of whitelisted
> functions). cur
while doing a security review of chromium's implementation of HTML5 DBs,
chris noted that some sqlite functions are potential security risks. thus,
we would like to blacklist them (or rather, have a list of whitelisted
functions). currently, WebCore's sqlite authorizer allows all functions, but
has
7 matches
Mail list logo