- From: Dirk-Willem van Gulik <dirkx@webweaving.org>
- Date: Wed, 26 Jan 2005 07:38:25 -0800 (PST)
- To: "Seaborne, Andy" <andy.seaborne@hp.com>
- cc: public-rdf-dawg@w3.org
On Wed, 26 Jan 2005, Seaborne, Andy wrote: > Thanks for the comments - I found them helpful and a bit scary where it talks > about the issues around long URLs and security tools. These producs are not exactly refined - i.e. they just look for thiings like: -> Very long URI's aimed at buffer overruns. -> Too many spaces or 0x90 in the URI (buffer overruns too) -> Things which look like SQL or Access/VBScript (bad code which does not escape properly so that SQL constructed on the fly makes it to the DB or to the stored procedure/scripting realm) -> UTF8 or Unicode escape sequences in the ? part (mostly for cross site scripting and phising). and block these. Having said that -even- things like apache cut things off at 8k for any line or field - and it is common to reduce this. Dw 193.252.28.6 - - [10/Jan/2005:06:26:04 +0100] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 403 - "-" "-" 80.110.204.152 - - [10/Jan/2005:19:40:17 +0100] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1! \x02\xb1\x
Received on Wednesday, 26 January 2005 15:42:50 UTC