| Issue 172: | xdb: escape from spool directory | |
| 2 people starred this issue and may be notified of changes. | Back to list |
What steps will reproduce the problem? 1. register jid ..foobar@example.org 2. use it to register within pyicq-t transport ... Assume, that /var/db/pyicqt/icq.example.org/ is spool directory for xmlfiles, xmlfiles driver will store the record for the jid above at /var/db/pyicqt/..foobar%example.org It is sort of security issue but it's not very harmful as '/' is illegal char in jid (as far as I know). I'm using following version of pyicq-t: commit 97f08d5b51ee7384b30094a8f152aee82aed2e4e Author: Roman Mindalev <r000n@r000n.net> Date: Thu Jan 22 20:22:47 2009 +0300 I assume the right way is to change hash calculation method in xmlfiles driver, e.g. -hash = file[0:2] +hash = hashlib.md5(file).hexdigest()[0:2] But this is not compatible change. Moreover, maybe, some sort of escaping should be added for any char besides [0-9a-zA-Z]. Just imagine someone with jid b:d@example.org trying to register at pyicq transport hosted at windows server :-)
Mar 20, 2009
#1
mathemonkey
Mar 20, 2009
This line should speed-up work by design :) Really we had related problem when these filenames in non-latin encodings and system ancoding also non-latin and necessary migration to MySQL.... But I don't want break compatibility right now, many admins shall worried in this case |