guile-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.

From: Ludovic Courtès
Subject: Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.
Date: Wed, 12 Oct 2016 14:23:58 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) 
Alex Kost <address@hidden> skribis:

> Hello, I've noticed an insignificant typo in commit
> 08c021916dbd3a235a9f9cc33df4c418c0724e03 (in the fancy warning message).
>
> [...]
>> +               ;; Print a report to STDERR (POSIX file descriptor 2).
>> +               ;; XXX Can we do better here?
>> +               (call-with-port (dup->port 2 "w")
>> +                 (cut format <> "
>> +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> +@@ POSSIBLE BREAK-IN ATTEMPT ON THE REPL SERVER                @@
>> +@@ BY AN HTTP INTER-PROTOCOL EXPLOITATION ATTACK.  See:        @@
>> +@@ <https://en.wikipedia.org/wiki/Inter-protocol_exploitation> @@
>> +@@ Possible HTTP request received: ~S
>                                                                   ^^
> Missing trailing "@@" in the above line.

As discussed on IRC, I think this is intended: we don’t know the length
of the string being printed by ~S.

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]