[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Fix 2441

From: Garrett Rooney <rooneg_at_electricjellyfish.net>
Date: 2006-01-11 19:15:05 CET

On 1/11/06, Kamesh Jayachandran <kamesh@collab.net> wrote:
> Hi Julian,
> Thanks for your feedback.
> Attaching the new patch.
> Limiting the header_data to 20 characters as it seems that maximum
> header name that I see in my dump seems to be 20 characters in length.
> In case some spurious binary line happen to be there in the stream we
> limit to print only 20 characters. Don't think it is worth to loop
> through the characters for the valid printable ascii range. Let me know.

Limiting to 20 characters isn't enough. Putting 20 bytes of arbitrary
binary crap into an error that'll eventually get printed out to the
terminal is a bad thing, and can cause security problems (that's why
apache scrubs data that goes to its log files, it doesn't want to let
random escape characters through because they can be used to do bad
things to terminal emulators). You'll have to verify that the
characters you're putting in the log are printable, and if not convert
them to some safe form (numerical encoding of each byte, or
something).

-garrett

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jan 11 19:19:56 2006

This is an archived mail posted to the Subversion Dev mailing list.