daniel:// stenberg://

closing hackerone reports as not applicable without mercy on a Saturday night

1+
daniel:// stenberg://

one of them claimed the fact that you can run "curl http://¹²7.0.0.1" is a vulnerability.

I insist this is IDN working as designed. However crazy it may look like.You just cannot filter URLs like that assume it will work.

1+
daniel:// stenberg://

closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii conversions for command lines that then allows users to insert unicode characters in cmdline argument when run on windows, and they are converted to their ASCII look-alike counterparts. Which can be abused to insert arguments and what not.

Not a curl security flaw. Just the weirdest Windows feature I've seen in a while. And probably a security problem in many places.

1+
Derick Rethans

@bagder That's the cause of the latest RCE in PHP (our checking code didn't realise Windows did this, because... Why would it?)

Are you of the opinion this is a Windows bug instead?

1+
kalle

@derickr @bagder which RCE? Do you have a CVE ID or link? I haven't caught this in my news feeds

1+
⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️
Follow

@kalle @derickr @bagder arstechnica.com/security/2024/ I expect

· · Tusky · 0 · 0 · 1
Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…

v3.5.19-qoto · Privacy policy