Hey,
On Thu, Jan 03, 2019 at 04:25:00PM -0600, Eric Blake wrote:
> On 12/27/18 8:51 AM, Niccolò Belli wrote:
> > On mercoledì 26 dicembre 2018 13:38:28 CET, Frediano Ziglio wrote:
> >> Yes, this looks like a format string error in the upper (not into
> >> spice) layer.
> >>
> >> This potentially is a security problem.
> >
> > Considering the spice server is exposed to the internet this is
> > definitely worth investigating.
> >
> >> The specific '%' character could be the issue, can you try others
> >> ('!', '@' and
> >> so on) ?
> >
> > I tried several other special characters and they all seems to work,
> > expect for "Password&&" which gets converted to "Password&&" (if
> > I type "Password&&" it works).
>
> Could it be related to this patch where our JSON code mishandles %?
> https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg00108.html
Yes definitely, this is where the patch came from.
Mentioning this spice issue is yet another thing I should have added in the
commit log, but which I only thought about *after* having sent the patch :)
Christophe
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel