Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Snoopy.class.inc #12

Merged
merged 1 commit into from Jul 3, 2014

Conversation

Projects
None yet
3 participants
@mstrokin
Copy link
Contributor

commented Jul 3, 2014

fixed 0day vulnerability, added gzip functionality to 1.2.4

Update Snoopy.class.inc
fixed 0day vulnerability, added gzip functionality to 1.2.4

cogdog added a commit that referenced this pull request Jul 3, 2014

@cogdog cogdog merged commit e6c0cc1 into cogdog:master Jul 3, 2014

@thoger

This comment has been minimized.

Copy link

commented Jul 8, 2014

Upstream fix is incomplete / insufficient. Host name from a provided URL is extracted for use in the Host: HTTP header, provided to curl using -H option without proper escaping. So you can do bad things with URLs as:

https://127.0.0.1%60sleep+15%60/foo.rss

Getting fixed in Snoopy upstream by removal of the curl support, see this and the following commits:

http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.29

@thoger thoger referenced this pull request Jul 8, 2014

Open

Update Snoopy.class.inc #6

@cogdog

This comment has been minimized.

Copy link
Owner

commented Jul 9, 2014

This is a bit beyond my chops. If someone can pull and submit the proper replacement, I appreciate it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.