7 Sep
2025
7 Sep
'25
5:34 p.m.
Once upon a time, Job Snijders <job@sobornost.net> said:
If I worked at Juniper/HPE ... I'd use something like strnvis() to sanitize the (untrusted) network input contained within a Shutdown Communication. See the documentation here https://man.openbsd.org/vis.3
JUNOS already contains some XML encoding code, since essentially day 1 (since they were emitting XML from the backend)... but this makes it look like the NETCONF code isn't using it. This could be a security issue - what if somebody sends '</whatever><then-more-XML>...' in a message? -- Chris Adams <cma@cmadams.net>