>>>>> "Alex" == Alex Solovey <suppressed> writes: Alex> The problem is due to unescaped variable interpolation in regular Alex> expression $uri =~ /$path_info$/ in sub namespace_from: I don't want to raise too many alarms, but this means that every MP1 server has a denial-of-service attack against it now. Consider a regex that takes 10,000 years to figure out it doesn't match. Those can be written in under 50 characters. I'm sure the golfers can get it down to 10. And path_info is an arbitrary string, aided by having %-escaping before it gets this far, I presume. Ick. "Hello, CERT?" -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <suppressed> <URL:http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.