Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Heiko Schlittermann
Ημερομηνία:  
Προς: exim-users
Υ/ο: Russell King
Αντικείμενο: Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
Hi,

Russell King <rmk@???> (Di 11 Jun 2019 17:49:32 CEST):
> I replied to your mail below, honouring the mail-followup-to, but
> exim-users has not processed the message despite later messages
> coming through.


Hm, maybe the root cause is CC to me, when sending to the list.

> I essentially said that you have not understood my report. I'm
> not talking about the shortlog page (which works fine) but any of
> the links _from_ the shortlog, and it doesn't matter if I use
> firefox or elinks, the result is the same - the website _is_
> broken.


I know, the shortlogs page works fine, and all links _from_ this page
do not work.

If you replace + in the shortlog's URL with %2B and <ENTER> it, or,
if you follow this link:

    https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_91%2Bfixes


all links _from_ this page work.
Yes, I'm not sure if this is a bug in gitweb and some browsers are able
work around it, of if this is a browser bug.

Probably you're right and it is gitweb's failure.
If I download the page with curl using the +fixes URL, the
downloaded HTML contains lines like

href="/exim.git/shortlog/refs/heads/exim-4_91 fixes/exim.git/snaps…

which definitly shouldn't happen


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -