Bugtraq mailing list archives
Re: Another small metacharacter bug in Penguin Traceroute v1.0
From: Andreas Beck <becka () uni-duesseldorf de>
Date: Mon, 17 Jun 2002 19:26:33 +0200
Marco van Berkum <m.v.berkum () obit nl> wrote:
this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and Well, yes, it does parse out some metacharacters, but, the " ` " (backtick) is not filtered out in any way. (probably one of the two quotes " ' " should be a backtick). Also the slash and the hyphen are not filtered. Second fix: replace the second quote by a backtick and add slash and hyphen to the filter :)
Umm - it's a traceroute-sort-of-thing - right? So why not fixing it with a whitelist instead of a blacklist? Allowed domain names should be within [a-zA-z-.]* - right? To cater for IPv6 one could add the colon (unless that poses a problem - I see it filtered out above ...), and be done with it. CU, Andy -- Andreas Beck | Email : <becka () uni-duesseldorf de>
Current thread:
- Another small metacharacter bug in Penguin Traceroute v1.0 Marco van Berkum (Jun 17)
- Re: Another small metacharacter bug in Penguin Traceroute v1.0 Andreas Beck (Jun 17)
- Re: Another small metacharacter bug in Penguin Traceroute v1.0 Jedi/Sector One (Jun 18)
- Re: Another small metacharacter bug in Penguin Traceroute v1.0 Andreas Beck (Jun 17)