* Adrian Mariano , 2018-07-23, 20:22:
I had sort of figured that getting bogus price data was a more serious
error than having extra or missing currencies, so I had made that error
message unconditional.
Good call.
stderr.write('Got unknown metal "{}" with value "{}"\n',metal,price)
Thi
On Mon, Jul 23, 2018 at 05:11:04PM +0200, Jakub Wilk wrote:
> * Adrian Mariano , 2018-07-22, 18:04:
> > > > I'm not sure about exactly the right way to validate the metals.
> > > > I took the most relaxed route of just banning '!',
> > > Enumerating badness makes me nervous. It is generally conside
* Adrian Mariano , 2018-07-22, 18:04:
I'm not sure about exactly the right way to validate the metals. I
took the most relaxed route of just banning '!',
Enumerating badness makes me nervous. It is generally considered a bad
security practice.
What do you mean by "enumerating badness"?
I mea
On Sun, Jul 22, 2018 at 09:41:00PM +0200, Jakub Wilk wrote:
> * Adrian Mariano , 2018-07-20, 19:49:
> > I'm not sure about exactly the right way to validate the metals. I took
> > the most relaxed route of just banning '!',
>
> Enumerating badness makes me nervous. It is generally considered a bad
* Adrian Mariano , 2018-07-20, 19:49:
I'm not sure about exactly the right way to validate the metals. I took
the most relaxed route of just banning '!',
Enumerating badness makes me nervous. It is generally considered a bad
security practice.
How about whitelisting known-good metal names ("
On Fri, Jul 20, 2018 at 11:26:44PM +0200, Jakub Wilk wrote:
> * Adrian Mariano , 2018-07-20, 16:55:
> > Validating the data is pretty easy. The only data is the rate and it is
> > supposed to be a floating point number.
> [...]
> > Is it enough?
>
> I think the data from Packetizer (Bitcoin price
* Adrian Mariano , 2018-07-20, 16:55:
Validating the data is pretty easy. The only data is the rate and it
is supposed to be a floating point number.
[...]
Is it enough?
I think the data from Packetizer (Bitcoin price, and precious metals
names and prices) need validation, too.
--
Jakub W
Validating the data is pretty easy. The only data is the rate and it
is supposed to be a floating point number. Switching to https is easy too.
The attached patch does both.
Is it enough?
On Tue, Jul 03, 2018 at 09:04:14PM +0200, Stephen Kitt wrote:
> Control: forwarded adri...@gnu.org
>
>
Control: forwarded adri...@gnu.org
Hi Adrian,
I thought you’d be interested in this bug report... A straightforward partial
fix would be to switch to the https URIs, better still would be to add
certificate validation of some sort, but I think a real fix would involve
format validation and data s
Package: units
Version: 2.17-1
Tags: security
units_cur does no sanitization of the data it downloads. Malicious
operators of the servers or man-in-the-middle attackers[*] could exploit
this to execute arbitrary code.
As a proof of concept, I patched units_cur to emulate Yahoo returning
mali
10 matches
Mail list logo
