> Bill Pringlemeir wrote: >> However, as noted the newline filtering should prevent this from >> happening with gtk-gnutella.
On 15 Jun 2007, [EMAIL PROTECTED] wrote: > There's no newline filtering in gtk-gnutella as far as I can > tell. If it ever requests a file by its filename, the filename will > be URL-encoded as usual with HTTP. Thus no issue. The local filename > will be sanitized though, thus and control characters will be > replaced by a simple space. It was my understanding that "url_fix_escape()" would be applied to the result. So when an embedded HTTP response was sent, it would be escaped. The example in the paper is, ../../live HTTP/1.0\r\n\r\nfoo bar.mp3 gtkg should form, GET /get/1/../../live%20HTTP/1.0%0d%0a%0d%0afoo%20bar.mp3 HTTP/1.1\r\n However, maybe this is not correct. Perhaps this is for display only? I guess the best way to test this would be to form an exploit to test it. btw, Is "is_action_url_spam()" in search.c ready to be removed? Regards, Bill Pringlemeir. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Gtk-gnutella-devel mailing list Gtk-gnutella-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/gtk-gnutella-devel
