On 12/27/18 8:51 AM, Niccolò Belli wrote:
> On mercoledì 26 dicembre 2018 13:38:28 CET, Frediano Ziglio wrote:
>> Yes, this looks like a format string error in the upper (not into
>> spice) layer.
>>
>> This potentially is a security problem.
>
> Considering the spice server is exposed to the internet this is
> definitely worth investigating.
>
>> The specific '%' character could be the issue, can you try others
>> ('!', '@' and
>> so on) ?
>
> I tried several other special characters and they all seems to work,
> expect for "Password&&" which gets converted to "Password&&" (if
> I type "Password&&" it works).
Could it be related to this patch where our JSON code mishandles %?
https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg00108.html
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel