projects / fw / openocd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9de7d9c) | patch
CVE-2018-5704: Prevent some forms of Cross Protocol Scripting attacks
authorAndreas Fritiofson <andreas.fritiofson@gmail.com>
Sat, 13 Jan 2018 20:00:47 +0000 (21:00 +0100)
committerPaul Fertser <fercerpav@gmail.com>
Fri, 22 Nov 2019 18:25:34 +0000 (18:25 +0000)
commit6d54d905413243cc65687e30669a94037a14cbe6
tree3ecfef5b88a1ab08bfa69baef754211574d197b2tree | snapshot
parent9de7d9c81d91a5cfc16a1476d558d92b08d7e596commit | diff
CVE-2018-5704: Prevent some forms of Cross Protocol Scripting attacks

OpenOCD can be targeted by a Cross Protocol Scripting attack from
a web browser running malicious code, such as the following PoC:

var x = new XMLHttpRequest();
x.open("POST", "http://127.0.0.1:4444", true);
x.send("exec xcalc\r\n");

This mitigation should provide some protection from browser-based
attacks and is based on the corresponding fix in Redis:

https://github.com/antirez/redis/blob/8075572207b5aebb1385c4f233f5302544439325/src/networking.c#L1758

Change-Id: Ia96ebe19b74b5805dc228bf7364c7971a90a4581
Signed-off-by: Andreas Fritiofson <andreas.fritiofson@gmail.com>
Reported-by: Josef Gajdusek <atx@atx.name>
Reviewed-on: http://openocd.zylin.com/4335
Tested-by: jenkins
Reviewed-by: Jonathan McDowell <noodles-openocd@earth.li>
Reviewed-by: Paul Fertser <fercerpav@gmail.com>
src/server/startup.tcl diff | blob | history
openocd with support for Altus Metrum targets