Comments (6)
from p6-net-telnet.
Alternatively, refactor the Net::Telnet::Chunk
grammar to throw an error if it encounters a scenario like this. Catch x number of times in the parse method and close the connection once the number of errors thrown in a row exceeds x. The method I mentioned in the OP requires much more refactoring, but if you wish to follow that instead, follow how curl handles parsing telnet messages.
from p6-net-telnet.
I'd really love to help here, but I don't know the first thing about Telnet. I have no idea what the acronyms above mean, why that's insecure, if there's a test for that already, if someone would have to write the test before...
Could you maybe please clarify, with pointers to the code if that's convenient for you? Catching repeated elements in a list shouldn't be difficult, and writing a test for that, but I'm not sure if that's what you're needing.
from p6-net-telnet.
It's insecure because if a telnet server is badly written or malicious, it could try to send messages like the example I gave in the OP, which this currently doesn't handle properly. The acronyms represent different telnet commands, which can be found in RFC854. The grammar used to parse telnet messages is here. At the moment, it trusts that all negotiations/subnegotations will be sent exactly as specified in the spec, which may not always be the case. Like I mentioned earlier, adding an error
method to the grammar to throw something like X::Net::Telnet::InvalidMessage
if any of the tokens in the grammar fail to parse would help mitigate this.
from p6-net-telnet.
@JJ any progress?
from p6-net-telnet.
from p6-net-telnet.
Related Issues (17)
- Abstract connection logic out to Net::Telnet::Socket
- PSBot::Connection needs a send-text method
- More documentation and example code are needed
- Debug logging should only happen depending on an env variable HOT 1
- Initial client negotiation shouldn't be dependent on the server sending text
- "SGA is supported" my ass
- Implement ENVIRON and NEW-ENVIRON option support
- Implement TERMINAL-TYPE support HOT 1
- Implement XDISPLOC option support HOT 1
- Get around to implementing negotiation parsing
- Handle TCP URGENT data properly
- Make Net::Telnet::Connection thread-safe
- An exception should be thrown when receiving potentially malicious data rather than closing the connection silently
- Implement ECHO support
- bin/p6telnet needs to be written HOT 1
- There needs to be a binary that fetches supported/preferred options
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from p6-net-telnet.