Hi,
Here is my LTS report for December.
I was allocated 20 hours. I have spent all of them in the following
tasks:
* libsndfile:
+ investigate CVE-2018-19432 and show it is a duplicate of
CVE-2018-13139. Do not ask for CVE rejection though since
issues have different symptoms/paths an
Hi Tomas,
On Fri, Dec 28, 2018 at 12:53:00PM +, Tomas Bortoli wrote:
>
> By shell escaping I meant to escape all the special shell characters
> within the input. That'd probably need additional dependencies or a neat
> sanitizer function.
>
> But I was wrong, it's unnecessary as there's no s
Ciao Roberto,
On 12/28/18 5:20 AM, Roberto C. Sánchez wrote:
> Hi Tomas,
>
> On Mon, Dec 24, 2018 at 08:47:55PM +, Tomas Bortoli wrote:
>>Hi Robert,
>>
>>Your patch seems not to be definitive against CVE-2018-19518.
>>This because checking for spaces won't be enough if an attacker
Hi Roberto
I have checked your patch and the described problem and I think it
looks good. As I understand the reason why you count the number of tokens
instead of checking for a space in the hostname is that is easier to do
that way as you do not need to make an advanced parse mechanism.
To my kn
Hi Brian
I do not think the plain output or XSS is the biggest problem. A bigger
problem is remote execution of arbitrary php code.
I think there are few ways to make this a big problem.
Make the transformation point to ../../../somepath/somefile
and then let that file actually contain wrote:
Hi
I started to look at excluding the uploaders and just include the
maintainer but it turned out to be problematic. At least to make it a
general thing. I can make a dirty hack but I do not think that would be
very useful since we do not contact you that often.
The problem is that the uploaders
Abhijith PA writes:
> Are you working on phpmyadmin
No, I am not currently working on phpmyadmin.
--
Brian May
Ola Lundqvist writes:
> My conclusion however is about the same as you. I do not think many are
> using the transformations so I think we can safely remove that.
> Another option is to make a check for .. in the filename, because I think
> we can safely assume an attacher do not have write permis
