[VIM] OpenEdit XSS vendor dispute
Matthew Murphy
mattmurphy at kc.rr.com
Wed Dec 28 06:59:46 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Steven M. Christey wrote:
> Near as I can tell, PHP itself doesn't quote an error message before
> returning it to the user. If it doesn't, it should, but I don't have PHP
> so I can't prove this.
Correct. I reported that buggy behavior with one particular example
(fopen) back in 2002:
http://bugs.php.net/bug.php?id=18727
I was told, essentially, "Fuck off, it's not our problem. Apps should
filter input."
A truth in theory, but not in practice. I'm sure we're all familiar
with buffer overflows, and that is an issue with the same solution. ;-)
If you can think of a borderline/nuance/etc. type of bug, they will
probably find a way to gloss over it. They did with this one, too,
evidently.
- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."
-- Michael Holstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDsjfifp4vUrVETTgRA0XfAKCw89Ebf9DFyjHXCnHKr5Qvnm8A+gCZAVtb
rgDwMWmo1UX77gO8eLhIfts=
=MZfg
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.attrition.org/pipermail/vim/attachments/20051228/5f242803/attachment-0001.bin
More information about the VIM
mailing list