OpenOCD can be targeted by a Cross Protocol Scripting attack from
a web browser running malicious code, such as the following PoC:
var x = new XMLHttpRequest();
x.open("POST", "http://127.0.0.1:4444", true);
x.send("exec xcalc\r\n");
This mitigation should provide some protection from browser-based
attacks and is based on the corresponding fix in Redis:
8075572207/src/networking.c (L1758)
Change-Id: Ia96ebe19b74b5805dc228bf7364c7971a90a4581
Signed-off-by: Andreas Fritiofson <andreas.fritiofson@gmail.com>
Reported-by: Josef Gajdusek <atx@atx.name>
Reviewed-on: http://openocd.zylin.com/4335
Tested-by: jenkins
Reviewed-by: Jonathan McDowell <noodles-openocd@earth.li>
Reviewed-by: Paul Fertser <fercerpav@gmail.com>
Fix a bunch of typos.
Most are in code comments, so nothing should break. UNKOWN_COMMAND and
CMD_UNKOWN are not used elsewhere, so correcting the spelling should
also not break anything.
Moves definitions for each layer into their own file, eliminating
layering violations in the built-in TCL code. Updates src/Makefile.am
rules to include all files in the final startup.tcl input file, and
others Makefile.am rules to distribute the new files in our packages.
Andreas Fritiofson
Uwe Hermann
Zachary T Welch