|
|
Subscribe / Log in / New account

Enumerating badness

Enumerating badness

Posted Jan 30, 2025 8:14 UTC (Thu) by epa (subscriber, #39769)
Parent article: Credential-leaking vulnerability in some Git credential managers

The set of allowed characters in URLs is well specified. Rather than disallowing particular bad characters, surely any software that stores a URL should allow only characters in that set?

to post comments

Enumerating badness

Posted Jan 30, 2025 8:52 UTC (Thu) by danielthompson (subscriber, #97243) [Link]

The malicious URL doesn't contain invalid characters: the carriage return is properly encoded as %0d. The problem emerges because git's processing of %0d results in a carriage return appearing in the (not-a-URL) data that passes between git and it's credential helper.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds