[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.
From: |
Ludovic Courtès |
Subject: |
Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks. |
Date: |
Wed, 12 Oct 2016 14:23:58 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Alex Kost <address@hidden> skribis:
> Hello, I've noticed an insignificant typo in commit
> 08c021916dbd3a235a9f9cc33df4c418c0724e03 (in the fancy warning message).
>
> [...]
>> + ;; Print a report to STDERR (POSIX file descriptor 2).
>> + ;; XXX Can we do better here?
>> + (call-with-port (dup->port 2 "w")
>> + (cut format <> "
>> +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> +@@ POSSIBLE BREAK-IN ATTEMPT ON THE REPL SERVER @@
>> +@@ BY AN HTTP INTER-PROTOCOL EXPLOITATION ATTACK. See: @@
>> +@@ <https://en.wikipedia.org/wiki/Inter-protocol_exploitation> @@
>> +@@ Possible HTTP request received: ~S
> ^^
> Missing trailing "@@" in the above line.
As discussed on IRC, I think this is intended: we don’t know the length
of the string being printed by ~S.
Ludo’.