Bill Pringlemeir wrote: > It was my understanding that "url_fix_escape()" would be applied to > the result.
url_fix_escape() is only applied to URIs - from magnet-links for example. For /get/ requests, url_escape() is used. See downloads.c. > So when an embedded HTTP response was sent, it would be escaped. The example > in the paper is, > ../../live HTTP/1.0\r\n\r\nfoo bar.mp3 > gtkg should form, > GET /get/1/../../live%20HTTP/1.0%0d%0a%0d%0afoo%20bar.mp3 HTTP/1.1\r\n It wouldn't because results with "../" and variants in the filename are dropped. > However, maybe this is not correct. Perhaps this is for display only? It's not for display. That's plain HTTP. In the downloads display, you'd see the sanitized local filename. I'm not sure what you'd see at the search results display. IIRC, the line-break is shown as a funny character and does not cause a line-wrap or hide anything. The only display "trick" I've seen is adding lots of spaces before the actual filename extension but that's why I've added the "Extension" column ages ago (for sorting too of course). > I guess the best way to test this would be to form an exploit to test it. Maybe. > btw, Is "is_action_url_spam()" in search.c ready to be removed? No, why would you want to remove it? -- Christian ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Gtk-gnutella-devel mailing list Gtk-gnutella-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/gtk-gnutella-devel
