Comment 15 for bug 903232
Revision history for this message
| Jason Hullinger (jason-hullinger) wrote | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
I think there are valid points on both sides. On one hand I think Thierry is correct in:
"This sounds like an issue that would be triggered in client tools that do not escape characters, not in Swift. Do you confirm ? If yes, then I agree with John that it sounds like an optional additional layer of security rather than a vulnerability in Swift."
I mostly agree that this should be an optional addition to Swift, and that in itself it is not a vulnerability within Swift. However, there are other circumstances where blacklisting certain characters or character ranges may be needed. For example, currently Swift allows any character for the name of an object or container, including control characters such as 0x01. When Swift outputs a container listing in XML it does so as XML 1.0 and prints out the literal character for 0x01 (start of heading). This will break nearly all XML 1.0 parsers because most control characters are not allowed in XML 1.0. See Character Ranges: http://
Regarding the negative length of the Content-Length header: this could cause a denial of service because the service would never be able to read until '-1' bytes and the server would be forced to timeout. Of course this is really no different than a user sending a POST with a Content-Length of 1 and never sending any data also causing a timeout. However, the difference here is that this could potentially be used by another yet to be found or in the future to be introduced vulnerability such as an integer overflow where having a negative Content-Length could potentially cause a greater vulnerability to occur. Since it's invalid to have a negative content length and it has the potential to cause problems later it would be best to fix it now.