Development

Implementing ptsname_r on OSX with Rust

I've been working on a project with rust that requires creating a pseudo-terminal and like many others, I've run into a lot of problems with the functions available to get a pair of master/slave fds for my PTY. openpty int openpty(int *amaster, int *aslave, char *name, const struct termios *termp, const struct winsize *winp); This function seems like a good fit at first glance but the documentation contains this disclaimer: Nobody knows how much space should be reserved for name. So, calling openpty() or forkpty() with non-NULL name…

Keep reading

Node.JS Request Smuggling

The Node HTTP Client checks for invalid characters such as new lines that can be used to perform HTTP Smuggling attacks, however, the rules for the path option are quite relaxed. By combining the fact that we can inject new lines and tabs in the path, we can force multiple arbitrary HTTP requests to made. This only works if the target HTTP server has a relaxed HTTP parser that allows tabs instead of spaces (for example, Apache). This was tested in node version v0.12-v6.20 (stable) and should work…

Keep reading