| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Oct 2007 08:44:18 +0530 From: "Lamer Buster" <lamerbuster@...il.com> To: Geo. <geoincidents@....net> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype why don't you guys agree to disagree and STUF? On 10/8/07, Geo. <geoincidents@....net> wrote: > ----- Original Message ----- > From: "Glynn Clements" <glynn@...ements.plus.com> > > > URIs which it passes to an external handler (e.g. mailto:), it only > > needs to identify the scheme (to select the correct handler); it is > > the handler's responsibility to validate its own URIs (i.e. mail > > programs need to validate mailto: URIs). > > I don't agree. Whatever program takes input from an untrusted source, it's > that programs duty to sanitize the input before passing it on to internal > components. It's like a firewall, you filter before it gets inside the > system. > > Example, an ftp server has to sanitize filenames to prevent useage of > streams on NTFS, you don't blame the filesystem that the input gets passed > to, it's the job of the ftp server to do the sanitizing of untrusted input. > > Geo. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists