Date: Sat, 18 Apr 2015 21:03:39 -0400 From: Mathieu Laprise <mathlaprise@...il.com> To: john-dev@...ts.openwall.com Subject: Re: Improving Johnny > > here is a line in Johnny: > > temp << QString("%1:%2::%3\n").arg(user).arg(hash).arg(hash); > > Do you see any problems with it? If there is a problem then > - provide an example of input to trigger the problem. > - How would you fix it? > - Does the fix work with your example? > - Push the fix into a separate branch in your public repo please. > I really don't see how this question would tell you how experienced I am as a software engineer so I probably didn't understand it well. Ah ah :( So here is just my hypothesis after thinking about it for 2 minutes. If we were using unsafe functions like gets in C, a buffer and reading from a file, it'd be important to verify that size of user input isn't bigger than our buffer but luckily QString and QTextStream seem to be safe against buffer overflow. So the problem is that if the user has a %1 in its username, Johnny won't write the correct infos to the file and the user will say "This software doesn't work!" and we're gonna loose a happy user ! Correction: temp << user << ":" << hash << "::" << hash << '\n'; Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.