"it's rather trivial"? Have you done it?
It's pretty hard with strcmp. On modern x86_64 strcmp is vectorised and the first N bytes are compared simultaneously. I have code samples + remote exploit code against nonvectorised strcmp; I can write this up if…
I tried to get nrepl to accept http requests once and I couldn't make it validate anything. (But of course I'd love to see someone manage to do it...)
I don't think this is the same vulnerability. You don't even need to rebind DNS to do it, I believe: just make an XmlHTTPRequest. Your GET is considered code. The browser will get back a request that doesn't have a cors…
It's not only a DNS rebind attack. I'm pretty sure in this case even a GET could get rce , so you don't even need to check the cors headers. You can just XHR.
That could be nice. So, now the browser needs to understand routing tables?
Emacs has this: org mode and Dita.
Do you browse to html files on your attachment server? That's a pretty bad idea security-wise
Some portion of the work could be comstant-time.
Importantly, fetching DNS twice (once to check, another to download) is an incomplete solution, since DNS responses can change (cf "DNS rebinding").
How does it get past aslr? You still need to find addresses of the movs, don't you?
On iPhone, user-mode exploits remain sandboxed. On Android, on rooted devices, user mode code tends to be able to get root.
fwiw, stateless light switches are nice in that you can have many light switches controlling the same light. Not saying they're perfect but they have advantages.
I can't believe New Jersey would let someone brazenly advertise religiously-motivated cannibalism.
"undefined" isn't the problem here, seq is.
"it's rather trivial"? Have you done it?
It's pretty hard with strcmp. On modern x86_64 strcmp is vectorised and the first N bytes are compared simultaneously. I have code samples + remote exploit code against nonvectorised strcmp; I can write this up if…
I tried to get nrepl to accept http requests once and I couldn't make it validate anything. (But of course I'd love to see someone manage to do it...)
I don't think this is the same vulnerability. You don't even need to rebind DNS to do it, I believe: just make an XmlHTTPRequest. Your GET is considered code. The browser will get back a request that doesn't have a cors…
It's not only a DNS rebind attack. I'm pretty sure in this case even a GET could get rce , so you don't even need to check the cors headers. You can just XHR.
That could be nice. So, now the browser needs to understand routing tables?
Emacs has this: org mode and Dita.
Do you browse to html files on your attachment server? That's a pretty bad idea security-wise
Some portion of the work could be comstant-time.
Importantly, fetching DNS twice (once to check, another to download) is an incomplete solution, since DNS responses can change (cf "DNS rebinding").
How does it get past aslr? You still need to find addresses of the movs, don't you?
On iPhone, user-mode exploits remain sandboxed. On Android, on rooted devices, user mode code tends to be able to get root.
fwiw, stateless light switches are nice in that you can have many light switches controlling the same light. Not saying they're perfect but they have advantages.
fwiw, stateless light switches are nice in that you can have many light switches controlling the same light. Not saying they're perfect but they have advantages.
I can't believe New Jersey would let someone brazenly advertise religiously-motivated cannibalism.
"undefined" isn't the problem here, seq is.