Re: [EXTERNAL] RE: AW: Re busybox tar hidden filename exploit

On 15 July 2024 16:39 David Laight wrote: > On 03 July 2024 01:29 'Michael Conrad' wrote: > > The underlying root problem here is the same as SQL injection or HTML > > cross-site scripting attacks. You have data, and you emit it in a > > context that is expecting a language/protocol > I'm sure s

RE: AW: Re busybox tar hidden filename exploit

From: Michael Conrad > Sent: 03 July 2024 01:29 > > The underlying root problem here is the same as SQL injection or HTML > cross-site scripting attacks. You have data, and you emit it in a > context that is expecting a language/protocol of some sort, not raw > data. You then need to escape anyt

Re: [EXTERNAL] Re: AW: Re busybox tar hidden filename exploit

From: busybox on behalf of Michael Conrad mcon...@intellitree.com > The underlying root problem here is the same as SQL injection or HTML > cross-site scripting attacks. > You have data, and you emit it in a context that is expecting a > language/protocol of some

Re: AW: Re busybox tar hidden filename exploit

The underlying root problem here is the same as SQL injection or HTML cross-site scripting attacks.  You have data, and you emit it in a context that is expecting a language/protocol of some sort, not raw data.  You then need to escape anything in your data that could be misinterpreted as the p

Re: AW: Re busybox tar hidden filename exploit

Hi all! On 24/06/2024 10:03, Walter Harms wrote: [...] what do you expect now ? Do you have patch ? Do you want to start a discussion about possible solution ? Actually such filenames may exist in the filesystem so this point applies to `ls`, `find`, any other program listing files or handling