summaryrefslogtreecommitdiff
path: root/apt-private/private-download.cc
diff options
context:
space:
mode:
authorJulian Andres Klode <julian.klode@canonical.com>2019-01-23 13:57:45 +0100
committerJulian Andres Klode <julian.klode@canonical.com>2019-01-30 13:33:24 +0100
commit711cda2302b0dfe5d4ab0588b245ae4a97863e5b (patch)
tree1b9a017af0495a8479e284cbe1f4a4c45712a959 /apt-private/private-download.cc
parent4200469bb5a14c4659285917ed30c46a0b15c286 (diff)
Verify data being sent by methods in SendMessage()
As a follow-up for CVE-2019-3462, add checks similar to those for redirect to the central SendMessage() function. The checks are a bit more relaxed for values - they may include newlines and unicode characters (newlines get rewritten, so are safe). For keys and the message header, the checks are far more strict: They may only contain alphanumerical characters, the hyphen-minus, and the horizontal space. In case the method tries to send anything else, we construct a legal 400 URI Failed response, and send that. We specifically do not include the item URI, in case it has been compromised (that would cause infinite recursion).
Diffstat (limited to 'apt-private/private-download.cc')
0 files changed, 0 insertions, 0 deletions