Message352725
@xtreak the encoded null-byte test would be an extra test case to consider. It is reasonable to test as many known invalid sequences as possible. Changing that byte to encoded notation would just replace one test with another effectively changing the semantics of it.
To me, it's quite weird that it's considered a CVE at all: it's happening on the client side and it doesn't prevent the user from just feeding the proper bytes right into the socket so why overcomplicate things? |
|
Date |
User |
Action |
Args |
2019-09-18 13:05:58 | webknjaz | set | recipients:
+ webknjaz, jaraco, orsenthil, ned.deily, mcepl, eric.snow, tburke, xtreak |
2019-09-18 13:05:58 | webknjaz | set | messageid: <1568811958.21.0.186820161295.issue36274@roundup.psfhosted.org> |
2019-09-18 13:05:58 | webknjaz | link | issue36274 messages |
2019-09-18 13:05:57 | webknjaz | create | |
|