Mark Steward
Mark Steward
Hmm, I'm not interested in tearing stuff out immediately. There's a lot of code updates to make first.
https://github.com/tehmaze-labs/modem/blob/multi-protocol/modem/protocol/zmodem.py also looks like a possible place to start
Aha, that's exactly what I was doing, thanks.
You can also leak data by injecting into CSS, e.g. `input[value^="a"] { background-image: url(...) }`, so make sure it's not possible to specify the _raw argument via the HTML pages...
Yep, and it's a fairly fiddly attack mechanism. But this feature is at its heart CSS injection so probably deserves a hazmat label. Any column specified with `?_raw=` must be...
I also suspect [this](https://docs.docker.com/engine/cli/proxy/#run-containers-with-a-proxy-configuration) could never have worked in practice: ``` $ docker run --rm alpine sh -c 'env | grep -i _PROXY' https_proxy=http://proxy.example.com:3129 HTTPS_PROXY=http://proxy.example.com:3129 ``` That's an http:// URL...
https://docs.docker.com/reference/cli/dockerd/, which links to the page above, is quite clear about the use of HTTP/HTTPS_PROXY and gets it right, i.e.: > Proxy URL for HTTPS requests unless overridden by NoProxy....
Would there be more chance of getting this fixed if I provide a PR?
/lifecycle frozen
/remove-lifecycle stale