Re: Another small metacharacter bug in Penguin Traceroute v1.0

• Previous message: valcu.gheorgheat_private: "Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server"
• In reply to: Marco van Berkum: "Another small metacharacter bug in Penguin Traceroute v1.0"
• Next in thread: Jedi/Sector One: "Re: Another small metacharacter bug in Penguin Traceroute v1.0"
• Reply: Jedi/Sector One: "Re: Another small metacharacter bug in Penguin Traceroute v1.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Marco van Berkum <m.v.berkumat_private> wrote:
>    this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and
> Well, yes, it does parse out some metacharacters, but, the " ` " (backtick)
> is not filtered out in any way. (probably one of the two quotes " ' " should be
> a backtick). Also the slash and the hyphen are not filtered.
> 
> Second fix: replace the second quote by a backtick and add slash and hyphen
> to the filter :)

Umm - it's a traceroute-sort-of-thing - right? So why not fixing it with a 
whitelist instead of a blacklist?

Allowed domain names should be within [a-zA-z-.]* - right?
To cater for IPv6 one could add the colon (unless that poses a problem - 
I see it filtered out above ...), and be done with it.

CU, Andy

-- 
Andreas Beck             |  Email :  <becka@uni-duesseldorf.de>

• Next message: Kistler Ueli: "Follow: ZyXEL 642R-11 AJ.6 service DoS -- additional informations"
• Previous message: valcu.gheorgheat_private: "Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server"
• In reply to: Marco van Berkum: "Another small metacharacter bug in Penguin Traceroute v1.0"
• Next in thread: Jedi/Sector One: "Re: Another small metacharacter bug in Penguin Traceroute v1.0"
• Reply: Jedi/Sector One: "Re: Another small metacharacter bug in Penguin Traceroute v1.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 15:56:52 PDT