-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
possible security vulnerability in user input #297
Comments
From https://pylonsproject.org/community-support.html
Thank you! |
@jvanasco did you send an email about this issue? If not, would you please reach out to either the security list or to me personally? xistence@0x58.com or bertjw@regeer.org (either one/both is fine). |
I thought I did, but there's nothing in my outbox. I'll email the group now. |
Thanks @jvanasco! |
if anyone in the general public is worried about this: please don't. many upstream libraries and web browsers have since integrated safeguards against this overall attack type, making this ticket largely redundant. |
@jvanasco I'm going to close this based on your last comment. Could you point to the CVEs for those other projects to give people wondering if they are vulnerable some context? |
I don't know of any CVEs offhand, and I can't access any of the secure tickets I filed back then, but I will disclose the issue and what has changed in the industry: When this ticket was filed, web browsers did not render non-printable ASCII characters. Today, they are rendered with placeholders. The previous browser behavior would allow a malicious actor to carefully construct a payload that uses ASCII control characters (like backspace) to appear innocuous, but "transform" into malicious code when copy/pasted into a terminal window (or similar input that recognizes the control characters). This attack vector does take an additional element of human engineering - the malicious actor needs to convince someone to copy/paste user-generated text into a terminal window - but that can be an easy task with coding websites and forums. It's a particularly esoteric potential attack aimed at a particular audience. Modern browsers now render placeholders or will not render the control characters on html documents - so there is either a visible warning or no attack vector. |
Thanks for the follow-up, @jvanasco! |
i discovered a specific vulnerability in a handful of python form validation and sanitization libraries yesterday. colander is affected. the behavior is desired in some contexts, but dangerous in most http/html contexts.
is there someone I can email about this?
The text was updated successfully, but these errors were encountered: