Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.

unofficial mirror of guile-devel@gnu.org 
 help / color / mirror / Atom feed

* Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.
       [not found] ` <20161011133746.47A04220168@vcs.savannah.gnu.org>
@ 2016-10-12  8:21   ` Alex Kost
  2016-10-12 12:23     ` Ludovic Courtès
  0 siblings, 1 reply; 3+ messages in thread
From: Alex Kost @ 2016-10-12  8:21 UTC (permalink / raw)
  To: guile-devel; +Cc: Ludovic Courtès

Hello, I've noticed an insignificant typo in commit
08c021916dbd3a235a9f9cc33df4c418c0724e03 (in the fancy warning message).

[...]
> +               ;; Print a report to STDERR (POSIX file descriptor 2).
> +               ;; XXX Can we do better here?
> +               (call-with-port (dup->port 2 "w")
> +                 (cut format <> "
> +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> +@@ POSSIBLE BREAK-IN ATTEMPT ON THE REPL SERVER                @@
> +@@ BY AN HTTP INTER-PROTOCOL EXPLOITATION ATTACK.  See:        @@
> +@@ <https://en.wikipedia.org/wiki/Inter-protocol_exploitation> @@
> +@@ Possible HTTP request received: ~S
                                                                  ^^
Missing trailing "@@" in the above line.

> +@@ The associated socket has been closed.                      @@
> +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
> +                      (string-append request-line
> +                                     drained-input)))))

-- 
Alex



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.
  2016-10-12  8:21   ` REPL Server: Guard against HTTP inter-protocol exploitation attacks Alex Kost
@ 2016-10-12 12:23     ` Ludovic Courtès
  2016-10-13  8:46       ` Alex Kost
  0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2016-10-12 12:23 UTC (permalink / raw)
  To: Alex Kost; +Cc: guile-devel

Alex Kost <alezost@gmail.com> skribis:

> Hello, I've noticed an insignificant typo in commit
> 08c021916dbd3a235a9f9cc33df4c418c0724e03 (in the fancy warning message).
>
> [...]
>> +               ;; Print a report to STDERR (POSIX file descriptor 2).
>> +               ;; XXX Can we do better here?
>> +               (call-with-port (dup->port 2 "w")
>> +                 (cut format <> "
>> +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> +@@ POSSIBLE BREAK-IN ATTEMPT ON THE REPL SERVER                @@
>> +@@ BY AN HTTP INTER-PROTOCOL EXPLOITATION ATTACK.  See:        @@
>> +@@ <https://en.wikipedia.org/wiki/Inter-protocol_exploitation> @@
>> +@@ Possible HTTP request received: ~S
>                                                                   ^^
> Missing trailing "@@" in the above line.

As discussed on IRC, I think this is intended: we don’t know the length
of the string being printed by ~S.

Ludo’.



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: REPL Server: Guard against HTTP inter-protocol exploitation attacks.
  2016-10-12 12:23     ` Ludovic Courtès
@ 2016-10-13  8:46       ` Alex Kost
  0 siblings, 0 replies; 3+ messages in thread
From: Alex Kost @ 2016-10-13  8:46 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guile-devel

Ludovic Courtès (2016-10-12 14:23 +0200) wrote:

> Alex Kost <alezost@gmail.com> skribis:
>
>> Hello, I've noticed an insignificant typo in commit
>> 08c021916dbd3a235a9f9cc33df4c418c0724e03 (in the fancy warning message).
>>
>> [...]
>>> +               ;; Print a report to STDERR (POSIX file descriptor 2).
>>> +               ;; XXX Can we do better here?
>>> +               (call-with-port (dup->port 2 "w")
>>> +                 (cut format <> "
>>> +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>> +@@ POSSIBLE BREAK-IN ATTEMPT ON THE REPL SERVER                @@
>>> +@@ BY AN HTTP INTER-PROTOCOL EXPLOITATION ATTACK.  See:        @@
>>> +@@ <https://en.wikipedia.org/wiki/Inter-protocol_exploitation> @@
>>> +@@ Possible HTTP request received: ~S
>>                                                                   ^^
>> Missing trailing "@@" in the above line.
>
> As discussed on IRC, I think this is intended: we don’t know the length
> of the string being printed by ~S.

Yes, I got it, thanks and sorry for bothering :-)

-- 
Alex



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-10-13  8:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20161011133745.2333.41505@vcs.savannah.gnu.org>
     [not found] ` <20161011133746.47A04220168@vcs.savannah.gnu.org>
2016-10-12  8:21   ` REPL Server: Guard against HTTP inter-protocol exploitation attacks Alex Kost
2016-10-12 12:23     ` Ludovic Courtès
2016-10-13  8:46       ` Alex Kost

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).