[VIM] OpenEdit XSS vendor dispute

Matthew Murphy mattmurphy at kc.rr.com
Wed Dec 28 06:59:46 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Steven M. Christey wrote:
> Near as I can tell, PHP itself doesn't quote an error message before
> returning it to the user.  If it doesn't, it should, but I don't have PHP
> so I can't prove this.

Correct.  I reported that buggy behavior with one particular example
(fopen) back in 2002:

http://bugs.php.net/bug.php?id=18727

I was told, essentially, "Fuck off, it's not our problem.  Apps should
filter input."

A truth in theory, but not in practice.  I'm sure we're all familiar
with buffer overflows, and that is an issue with the same solution. ;-)

If you can think of a borderline/nuance/etc. type of bug, they will
probably find a way to gloss over it.  They did with this one, too,
evidently.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDsjfifp4vUrVETTgRA0XfAKCw89Ebf9DFyjHXCnHKr5Qvnm8A+gCZAVtb
rgDwMWmo1UX77gO8eLhIfts=
=MZfg
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.attrition.org/pipermail/vim/attachments/20051228/5f242803/attachment-0001.bin 


More information about the VIM mailing list