subject:"Re\: REPL Server\: Guard against HTTP inter\-protocol exploitation attacks."

Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.

2016-10-13 Thread Alex Kost

Ludovic Courtès (2016-10-12 14:23 +0200) wrote:

> Alex Kost  skribis:
>
>> Hello, I've noticed an insignificant typo in commit
>> 08c021916dbd3a235a9f9cc33df4c418c0724e03 (in the fancy warning message).
>>
>> [...]
>>> +   ;; Print a report to STDERR (POSIX file descriptor 2).
>>> +   ;; XXX Can we do better here?
>>> +   (call-with-port (dup->port 2 "w")
>>> + (cut format <> "
>>> +@
>>> +@@ POSSIBLE BREAK-IN ATTEMPT ON THE REPL SERVER@@
>>> +@@ BY AN HTTP INTER-PROTOCOL EXPLOITATION ATTACK.  See:@@
>>> +@@  @@
>>> +@@ Possible HTTP request received: ~S
>>   ^^
>> Missing trailing "@@" in the above line.
>
> As discussed on IRC, I think this is intended: we don’t know the length
> of the string being printed by ~S.

Yes, I got it, thanks and sorry for bothering :-)

-- 
Alex

Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.

2016-10-12 Thread Ludovic Courtès

Alex Kost  skribis:

> Hello, I've noticed an insignificant typo in commit
> 08c021916dbd3a235a9f9cc33df4c418c0724e03 (in the fancy warning message).
>
> [...]
>> +   ;; Print a report to STDERR (POSIX file descriptor 2).
>> +   ;; XXX Can we do better here?
>> +   (call-with-port (dup->port 2 "w")
>> + (cut format <> "
>> +@
>> +@@ POSSIBLE BREAK-IN ATTEMPT ON THE REPL SERVER@@
>> +@@ BY AN HTTP INTER-PROTOCOL EXPLOITATION ATTACK.  See:@@
>> +@@  @@
>> +@@ Possible HTTP request received: ~S
>   ^^
> Missing trailing "@@" in the above line.

As discussed on IRC, I think this is intended: we don’t know the length
of the string being printed by ~S.

Ludo’.

Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.

2016-10-12 Thread Alex Kost

Hello, I've noticed an insignificant typo in commit
08c021916dbd3a235a9f9cc33df4c418c0724e03 (in the fancy warning message).

[...]
> +   ;; Print a report to STDERR (POSIX file descriptor 2).
> +   ;; XXX Can we do better here?
> +   (call-with-port (dup->port 2 "w")
> + (cut format <> "
> +@
> +@@ POSSIBLE BREAK-IN ATTEMPT ON THE REPL SERVER@@
> +@@ BY AN HTTP INTER-PROTOCOL EXPLOITATION ATTACK.  See:@@
> +@@  @@
> +@@ Possible HTTP request received: ~S
  ^^
Missing trailing "@@" in the above line.

> +@@ The associated socket has been closed.  @@
> +@\n"
> +  (string-append request-line
> + drained-input)

-- 
Alex

Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.

Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.

Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.

3 matches

Site Navigation

Mail list logo

Footer information