|
|
|
|
|
|
by nixpulvis
2449 days ago
|
|
|
I haven't had enough time to truly grasp the changes in the patch, but the use of a prefix, and a well known encoding scheme sounds a bit iffy to me. What's stopping an attacker from looking at the definitions here: https://github.com/gnachman/iTerm2/commit/538d570ea54614d3a2... and using the same `NSUTF8StringEncoding` to build the same attacks? EDIT: Of course GitHub doesn't follow fragment ids when they are part of a large diff, but you can open up `sources/TmuxController.m` yourself. |
|
|