closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii conversions for command lines that then allows users to insert unicode characters in cmdline argument when run on windows, and they are converted to their ASCII look-alike counterparts. Which can be abused to insert arguments and what not.
Not a curl security flaw. Just the weirdest Windows feature I've seen in a while. And probably a security problem in many places.
"The ToASCII operation is used before sending an IDN to something that expects ASCII names (such as a resolver) or writing an IDN into a place that expects ASCII names (such as a DNS master file)."
I read that so that the output of ToASCII is a domain name, to be sent to a DNS server. If the output is an IP address, that is something else.
I agree that IDN is broken for that kind of URLs, *but* you cannot have IDN in an IP address, so if the IDN decoding gives you an IP address, one could argue that that should not be allowed.
But IDN would have been so much better if it had just banned that kind of substitution outright. I remember this being a pain when we first implemented IDN at my previous dayjob (Opera Software).
A classic hometown-wresting-in-the-main-event booking for #WWE. A slight twist having #CMPunk as the referee stand-in, though, didn't expect that one. WWE will be WWE, no matter what management it is under, I guess. Too bad on a good match.
#WWECastle started out with a fairly crap match, but the next two have delivered. I liked the Sami Zayn match, but I am a big Sami Zayn fan... Looks like I need to actually watch Raw next week, looking at that QR code that dropped...
@forteller like others have said, to survive a reboot you need some way to come back up. That kind of mechanism is called “persistence” - these kinds of vulnerabilities have become progressively harder to find in phone OSs, so the price for a good one (with an exploit) can be in the millions of dollars range. But if they are found they could potentially be fixed by the vendor. So they are used carefully. Otherwise it’s money out the window. So unless you are a high value target they probably won’t risk using it for you. And without persistence, reboot will clear it. Of course you have all sorts of spyware you (or someone with access to your phone) might’ve installed on purpose, but that’s another matter.
@xtaran@popey My go-to software for that is PLOP Boot Manager, it usually allows me to boot whatever I want from any device. I mostly use it to boot VirtualBox from physical USB, but I have also used it to boot from USB on old servers that didn't support it out of the box.
@deavid I went to the QA page on https://tracker.debian.org/pkg/docker.io and looked at the open issues. The Debian packaging process is quite transparent, so this information is usually easy to find once you learn where to look.
Browsing through posts on #StarTrekDiscovery I find a lot of references to a Short Treks episode called "Calypso". Does anyone know where to find it (in Norway)? #SkyShowtime only has four episodes of Short Treks, and it's not on YouTube either?
Software Developer (ex-Opera), computer nerd, pro-wrestling and Eurovision Song Contest fan. Oslo, Norway (ex-Sweden).Thinks football (en-US: soccer) is boring.Self-diagnosed aphantasia - aphantasia.com/vviq/Hexadecimal is better than binary.Grumpy, middle-aged, cis-gender white man.Accept-Language: sv;q=1.0, en;q=0.95, nb;q=0.8, da;q=0.5, nn;q=0.4, de;q=0.25