[Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
Lamer Buster
lamerbuster at gmail.com
Mon Oct 8 04:14:18 BST 2007
why don't you guys agree to disagree and STUF?
On 10/8/07, Geo. <geoincidents at nls.net> wrote:
> ----- Original Message -----
> From: "Glynn Clements" <glynn at gclements.plus.com>
>
> > URIs which it passes to an external handler (e.g. mailto:), it only
> > needs to identify the scheme (to select the correct handler); it is
> > the handler's responsibility to validate its own URIs (i.e. mail
> > programs need to validate mailto: URIs).
>
> I don't agree. Whatever program takes input from an untrusted source, it's
> that programs duty to sanitize the input before passing it on to internal
> components. It's like a firewall, you filter before it gets inside the
> system.
>
> Example, an ftp server has to sanitize filenames to prevent useage of
> streams on NTFS, you don't blame the filesystem that the input gets passed
> to, it's the job of the ftp server to do the sanitizing of untrusted input.
>
> Geo.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Full-Disclosure is hosted and sponsored by Secunia.