-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve validation of note and override ports #1045
Conversation
src/manage_sql.c
Outdated
|
||
if (strncmp ("general/", port, 8) == 0) | ||
return 0; | ||
/* "cpe:abc", "general/tcp", "20/upd" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/* "cpe:abc", "general/tcp", "20/upd" | |
/* "cpe:abc", "general/tcp", "20/udp" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 917206a.
src/manage_sql.c
Outdated
/* "cpe:abc", "general/tcp", "20/upd" | ||
* | ||
* The , and ; is to stop users from entering lists of ports. | ||
* CPE doesn't use them because seems like they're valid in CPEs. */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could be a bit clearer that it's referring to the restriction not containing ,
and ;
for CPEs.
Also, whether the characters are allowed without percent escaping depends on the version of the specification.
If I understand it correctly, 2.2 (the version we currently use) requires them to be escaped.
(Chapter 5.4. in https://cpe.mitre.org/specification/2.2/cpe-specification_2.2.pdf)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Improved in 5ce9e79.
I don't think we need to worry about escaping at this point. Ultimately we could use a full CPE regex (saw one at https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd) but it might prove too restrictive (eg won't allow for errors in the shipped CPEs or mixed CPE versions). Anyway, a topic for a future PR, I'd say.
This is the port validation used by GMP CREATE/MODIFY_NOTE/OVERRIDE.
Checklist: