Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Snoopy.class.inc #12

Merged
merged 1 commit into from Jul 3, 2014
Merged

Update Snoopy.class.inc #12

merged 1 commit into from Jul 3, 2014

Conversation

mstrokin
Copy link
Contributor

@mstrokin mstrokin commented Jul 3, 2014

fixed 0day vulnerability, added gzip functionality to 1.2.4

fixed 0day vulnerability, added gzip functionality to 1.2.4
cogdog added a commit that referenced this pull request Jul 3, 2014
@cogdog cogdog merged commit e6c0cc1 into cogdog:master Jul 3, 2014
@thoger
Copy link

thoger commented Jul 8, 2014

Upstream fix is incomplete / insufficient. Host name from a provided URL is extracted for use in the Host: HTTP header, provided to curl using -H option without proper escaping. So you can do bad things with URLs as:

https://127.0.0.1%60sleep+15%60/foo.rss

Getting fixed in Snoopy upstream by removal of the curl support, see this and the following commits:

http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.29

@cogdog
Copy link
Owner

cogdog commented Jul 9, 2014

This is a bit beyond my chops. If someone can pull and submit the proper replacement, I appreciate it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants