[4033] in WWW Security List Archive
Re: Front-Page extensions?
daemon@ATHENA.MIT.EDU (Adam Shostack)
Wed Jan 22 09:49:51 1997
From: Adam Shostack <adam@homeport.org>
In-Reply-To: <19970121.211638.9614.4.wiseleo@juno.com> from Leonid S Knyshov at "Jan 21, 97 07:51:14 pm"
To: wiseleo@juno.com (Leonid S Knyshov)
Date: Wed, 22 Jan 1997 07:17:22 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Leonid S Knyshov wrote:
| >HTML in and alter the formatting of the message you are giving.
| >This can be abused: I put "<!--" at the end of my message. The
| >messages I
| >put in after that did not appear.
|
| That is what Safe Cgi is all about, we must filter all information
| to exclude illegal characters such as <>, \n,;, | etc...
No, we must filter to only allow those characters we know are safe,
otherwise most people will make the etc set too small, and allow
attacks.
That which is not explicitly permitted is denied.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
