Subject:
|
Re: My Airlock
|
Newsgroups:
|
lugnet.admin.nntp
|
Date:
|
Fri, 7 Mar 2003 01:58:45 GMT
|
Viewed:
|
2129 times
|
| |
|
|
Dan Boger <dan@peeron.com> writes:
> tsk tsk, you never take tainted data and just blindly trust it, do you?
> :) I agree that everything from the 'D' on is dropped, but probably
> because Kevin, in his infinite wisdom, made brickshelf make SURE that
> it's really getting just a number :)
Maybe. But if it were me, I would just throw up an error page rather
than truncate the number at the first non-digit.
> never, ever, trust input you got externally.
Naturally. I fear that in this case though, that may be what is going
on. That's not to say there's *necessarily* a security hole:
obviously it's getting translated to a simple integer somehow.
--Bill.
--
William R Ward bill@wards.net http://www.wards.net/~bill/
-----------------------------------------------------------------------------
"A foolish consistency is the hobgoblin of little minds, adored by
little statesmen and philosophers and divines." - Emerson
|
|
Message is in Reply To:
 | | Re: My Airlock
|
| (...) yes, you are probably correct. (...) tsk tsk, you never take tainted data and just blindly trust it, do you? :) I agree that everything from the 'D' on is dropped, but probably because Kevin, in his infinite wisdom, made brickshelf make SURE (...) (22 years ago, 28-Feb-03, to lugnet.admin.nntp)
|
3 Messages in This Thread:
 
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
