On Montag, 6. März 2017 16:45:57 CET Gisle Vanem wrote:
> Just a detail, but in src/mswindows.c, there is:
>
> #ifdef ENABLE_IPV6
> /* An inet_ntop implementation that uses WSAAddressToString.
> Prototype complies with POSIX 1003.1-2004. This is only used under
> IPv6 because Wget
Oops
That my fault. I sent the wrong mail.
Very sorry :(
2017-03-07 3:03 GMT+08:00 Tim Rühsen :
> On Dienstag, 7. März 2017 02:01:06 CET Orange Tsai wrote:
> > I am surprise that `http://u...@evil.com:8...@good.com` will connect to `
> > evil.com`, not `good.com`.
> > Most
But still thanks :)
I will try to ask for allocating a CVE from https://cve.mitre.org/
2017-03-07 3:05 GMT+08:00 Orange Tsai :
> Oops
>
> That my fault. I sent the wrong mail.
>
> Very sorry :(
>
> 2017-03-07 3:03 GMT+08:00 Tim Rühsen :
>
>> On
On Dienstag, 7. März 2017 02:01:06 CET Orange Tsai wrote:
> I am surprise that `http://u...@evil.com:8...@good.com` will connect to `
> evil.com`, not `good.com`.
> Most of URL parser will recognize `good.com` is host part. Like this
> advisory, https://curl.haxx.se/docs/adv_20161102J.html
> It
I am surprise that `http://u...@evil.com:8...@good.com` will connect to `
evil.com`, not `good.com`.
Most of URL parser will recognize `good.com` is host part. Like this
advisory, https://curl.haxx.se/docs/adv_20161102J.html
It seem more dangerous if a developer still rely on the result of parse
Tim Rühsen writes:
> Did you try wildcard matching ? (-A "*.pdf*")
That's a bit subtle, though. The -A pattern apparently has to match
everything in the URL after the final /, *including* the query-part
("?..."), which strictly speaking isn't part of the file name. But the
> From: Tim Ruehsen
> Date: Mon, 06 Mar 2017 10:17:25 +0100
> Cc: Orange Tsai
>
> Thanks, just pushed a commit, not allowing control chars in host part.
Hmm... is it really enough to reject only ASCII control characters?
Maybe we should also reject
Orange Tsai writes:
> # This will work
> $ wget 'http://127.0.0.1%0d%0aCookie%3a hi%0a/'
Not even considering the effect on headers, it's surprising that wget
doesn't produce an immediate error, since
"127.0.0.1%0d%0aCookie%3a hi%0a" is syntactically invalid as a host
Just a detail, but in src/mswindows.c, there is:
#ifdef ENABLE_IPV6
/* An inet_ntop implementation that uses WSAAddressToString.
Prototype complies with POSIX 1003.1-2004. This is only used under
IPv6 because Wget prints IPv4 addresses using inet_ntoa. */
This is wrong since 1)
On Monday, March 6, 2017 3:42:24 AM CET Orange Tsai wrote:
> Hi
>
> I just found that there is a CRLF Injection in the latest version of Wget
> 1.19.
>
> Wget uses urlencode to encode CRLF in PATH part but doesn't use in HOST
> port. So an attacker can inject arbitrary header in the request.
>
10 matches
Mail list logo