openssh unix dev - Mar 2002 - [Bug 111] sshd syslogs raw untrusted data

http://bugzilla.mindrot.org/show_bug.cgi?id=111





------- Additional Comments From stevesk at pobox.com  2002-03-31 05:13 -------
we should perhaps vis(3) wrap log calls.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=111





------- Additional Comments From djm at mindrot.org  2002-04-17 12:03 -------
I agree that it should be syslog's responsability to safely encode any
untrusted
data. I hope you filed a bug with Sun too :)

Here's an untested patch which runs all syslog data through vis()



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=111





------- Additional Comments From djm at mindrot.org  2002-04-17 13:04 -------
Created an attachment (id=79)
Process all syslog data through vis()




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=111





------- Additional Comments From tomh at po.crl.go.jp  2002-04-17 13:42 -------
A while ago vis.[ch] was removed because it wasn't used anywhere.  This was
helpful for another reason: AT&T's graphviz package defines a completely
different vis() and has a vis.h.  Since -I$(srcdir)/openbsd-compat was removed,
it would always find the vis.h in /usr/local/include on systems with graphviz
installed and die.  If this patch goes in, it'd be nice if the prototype for
vis() could be added someplace else, instead of relying on finding vis.h in the
-I searchpath.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.