diff options
author | Julian Andres Klode <julian.klode@canonical.com> | 2019-01-23 13:57:45 +0100 |
---|---|---|
committer | Julian Andres Klode <julian.klode@canonical.com> | 2019-01-30 13:33:24 +0100 |
commit | 711cda2302b0dfe5d4ab0588b245ae4a97863e5b (patch) | |
tree | 1b9a017af0495a8479e284cbe1f4a4c45712a959 /apt-pkg/orderlist.cc | |
parent | 4200469bb5a14c4659285917ed30c46a0b15c286 (diff) |
Verify data being sent by methods in SendMessage()
As a follow-up for CVE-2019-3462, add checks similar to those
for redirect to the central SendMessage() function. The checks
are a bit more relaxed for values - they may include newlines
and unicode characters (newlines get rewritten, so are safe).
For keys and the message header, the checks are far more strict:
They may only contain alphanumerical characters, the hyphen-minus,
and the horizontal space.
In case the method tries to send anything else, we construct a
legal 400 URI Failed response, and send that. We specifically do
not include the item URI, in case it has been compromised (that
would cause infinite recursion).
Diffstat (limited to 'apt-pkg/orderlist.cc')
0 files changed, 0 insertions, 0 deletions