[reSIProcate] Message::operator<<
Rohan Mahy
rohan at cisco.com
Thu Jul 15 16:28:17 CDT 2004
Hey,
This really concerns me from a security point of view. If there is any
chance that an attacker can use a program that just writes out a
message to a log (for example) as an attack vector then I think we
should pay the performance penalty to protect the app developer.
thx,
-r
On Jul 15, 2004, at 1:19 PM, david Butcher wrote:
> Hi all,
>
> I removed the the call to escaped() in Message::operator<<.
> This was an efficiency hit and breaks UTF-8.
>
> Apps calling only msg->encode(stream) are not exposed to this problem.
>
> We don't deal with %xx encoding on the read side anyway.
> I have some ideas about how to deal with this if any one needs to in
> the
> short term.
>
> Some of us have been careful to escape when outputting to the log.
> This change may reduce logging safety. If you want to encode a message
> going
> to the log,
> use << Data::from(*msg).escaped() rather than just << *msg.
>
> david
>
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel at list.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
More information about the resiprocate-devel
mailing list