I did the search, the docs were pretty obtuse though..
I still don't see the need to have this check here.. if the bug is that
someone passes in some %u encoded character and some cisco router
doesn't detect it properly.. I still don't see what Shindig has to do
with that.. If you're worried about that, outlaw "%u" encoding. Or
decode all values first, then re-encode them. (wait, we're already doing
that).
Plus they are just referring to "exploit signatures", so you can use %u
in either parameter names or parameter values.. it still changes the
signature used by some stupid detection system (really what detection
system looks for a precise string match on a url anyhow).
Plus, having Shindig fix for some broken detection system, I think is
totally off-base..
But then again, this is just the first time I've heard of this. :)
And for now I'm just happy with supporting ":".
So I won't push anymore.. unless someone else agrees with me. :)
I just created a jira issue, with patch.
Brian Eaton wrote:
On Fri, Apr 4, 2008 at 12:32 PM, Fernando Padilla <[EMAIL PROTECTED]> wrote:
Is there any real reason to restrict the parameter names beyond
oauth/opensocial? Should I just submit the patch to remove the
ALLOWE_PARAM_NAME checking all together?
The check is there for security reasons, to prevent any attempt to
smuggle in an opensocial param that our code misses but the verifying
code accepts. Search the web for "IDS bypass" for pointers to various
kinds of attacks that might be possible.
Modifying the regex to allow the ":" character as well as the
characters it permits already seems reasonable, but we should be
paranoid about adding additional characters.
Cheers,
Brian
