< Previous by Date	Date Index	Next by Date >
< Previous in Thread	Thread Index	Next in Thread >

Re: [reSIProcate] Message::operator<<

From: Rohan Mahy <rohan@xxxxxxxxx>
Date: Thu, 15 Jul 2004 14:28:17 -0700

Hey,

This really concerns me from a security point of view. If there is anychance that an attacker can use a program that just writes out amessage to a log (for example) as an attack vector then I think weshould pay the performance penalty to protect the app developer.


thx,
-r

On Jul 15, 2004, at 1:19 PM, david Butcher wrote:

Hi all,

I removed the the call to escaped() in Message::operator<<.
This was an efficiency hit and breaks UTF-8.

Apps calling only msg->encode(stream) are not exposed to this problem.

We don't deal with %xx encoding on the read side anyway.

I have some ideas about how to deal with this if any one needs to inthe

short term.

Some of us have been careful to escape when outputting to the log.

This change may reduce logging safety. If you want to encode a messagegoing

to the log,
use << Data::from(*msg).escaped() rather than just << *msg.

david

_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxxxxxx
https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel

Follow-Ups:
- RE: [reSIProcate] Message::operator<<
  - From: david Butcher

References:
- [reSIProcate] Message::operator<<
  - From: david Butcher

Prev by Date: [reSIProcate] RE: resiprocate-devel Digest, Vol 3, Issue 14
Next by Date: RE: [reSIProcate] Message::operator<<
Previous by thread: [reSIProcate] Message::operator<<
Next by thread: RE: [reSIProcate] Message::operator<<
Index(es):
- Date
- Thread