[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part
From: |
Tim Rühsen |
Subject: |
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part |
Date: |
Mon, 06 Mar 2017 20:07:23 +0100 |
User-agent: |
KMail/5.2.3 (Linux/4.9.0-2-amd64; KDE/5.28.0; x86_64; ; ) |
On Montag, 6. März 2017 18:11:52 CET Eli Zaretskii wrote:
> > From: Tim Ruehsen <address@hidden>
> > Date: Mon, 06 Mar 2017 10:17:25 +0100
> > Cc: Orange Tsai <address@hidden>
> >
> > Thanks, just pushed a commit, not allowing control chars in host part.
>
> Hmm... is it really enough to reject only ASCII control characters?
> Maybe we should also reject control characters from other Unicode
> ranges? Just a thought.
That is a different issue. And non-ASCII chars will be translated into
punycode form if libidn2 / IRI support is built in. With --disable-iri we
perhaps should reject any non-ASCII chars !? I am open to a patch...
Tim
signature.asc
Description: This is a digitally signed message part.
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part, Dale R. Worley, 2017/03/06