On Sun, Jan 02, 2005 at 01:37:36AM +0100, Mauro Tortonesi wrote: > i have just commited the new string.c module which includes a mechanism to > fix > the bug reported by no?l köthe: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=271931
#271931 is: >>> From: Ambrose Li <[EMAIL PROTECTED]> >>> Subject: Weird escaping makes wget verbose output completely >>> unreadable in non-English locales >>> Message-ID: <[EMAIL PROTECTED]> Perhaps You meant [0]the #261755? [0] http://bugs.debian.org/261755 > the code was inspired by felix von leitner's libowfat and by jan minar's bug > fixing patch. > > unfortunately i haven't fixed the bug yet since i don't like jan minar's > approach (changing logprintf in a not so portable way to encode every string > passed to the function as an argument) because of its inefficiency. That was a hotfix. You know, that thing that you do in order not to have a security hole Right Now. > as Fumitoshi UKAI suggested, the best choice would be to escape only the > strings that need to be escaped. so, i think we should probably check > together which strings passed to logprintf in the wget code need to be > escaped. anyone willing to help? You don't want to check whether this or that string accidentally needs or doesn't need to get escaped. The right way is to sanitize *all* untrusted input before you even start thinking about using it. Something along the way of the Perl tainted variables. (The way wget is written makes this extremely hard to implement without rewriting large portions of the code, as it has been observed many times by Mauro, me, and others.) Happy new 2005 CE is being brought to you by: -- )^o-o^| jabber: [EMAIL PROTECTED] | .v K e-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: [EMAIL PROTECTED]
pgpXWVxraGKnX.pgp
Description: PGP signature
