Skip to content
Snippets Groups Projects
  1. Oct 03, 2015
  2. Sep 29, 2015
  3. Sep 26, 2015
  4. Sep 25, 2015
  5. Sep 24, 2015
  6. Sep 23, 2015
  7. Sep 20, 2015
  8. Sep 19, 2015
  9. Sep 18, 2015
  10. Sep 17, 2015
  11. Sep 16, 2015
  12. Sep 12, 2015
    • Lukas Fleischer's avatar
      Mitigate JSONP callback vulnerabilities · 209b0b6e
      Lukas Fleischer authored
      
      The callback parameter of the RPC interface currently allows for
      specifying a prefix of arbitrary length of the returned result. This can
      be exploited by certain attacks.
      
      As a countermeasure, this patch restricts the allowed character set for
      the callback name to letters, digits, underscores, parenthesis and dots.
      It also limits the length of the name to 128 characters. Furthermore,
      the reflected callback name is now always prepended with "/**/", which
      is a common workaround to protect against attacks such as Rosetta Flash.
      
      Fixes FS#46259.
      
      Signed-off-by: default avatarLukas Fleischer <lfleischer@archlinux.org>
      209b0b6e
  13. Sep 11, 2015
  14. Aug 31, 2015
  15. Aug 30, 2015
  16. Aug 19, 2015
  17. Aug 17, 2015
Loading