CVSROOT: /cvs Module name: src Changes by: sema...@cvs.openbsd.org 2015/07/15 10:02:39
Modified files:
usr.sbin/httpd : server_http.c
Log message:
httpd don't sanitize variables before putting them in logs. It is possible for
an attacker to push arbitaries characters in logs (newline for forging entries,
or some control escaping interpreted by terminal emulator).
OK reyk@
