closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii conversions for command lines that then allows users to insert unicode characters in cmdline argument when run on windows, and they are converted to their ASCII look-alike counterparts. Which can be abused to insert arguments and what not.
Not a curl security flaw. Just the weirdest Windows feature I've seen in a while. And probably a security problem in many places.
daniel:// stenberg:// /
npub1cm…penqe
2024-06-16 08:06:20
in reply to nevent1q…uut3
Author Public Key
npub1cm0ds9u8u42r7xeq7zwhgjcgj3p4ynv7dlj2jk4wknq8kshqzt9smpenqePublished at
2024-06-16 08:06:20Event JSON
{
"id": "eafd580da200f930ecce415227c4713d3785a46eef5ff63d7a56cba8db6fc679",
"pubkey": "c6ded81787e5543f1b20f09d744b089443524d9e6fe4a95aaeb4c07b42e012cb",
"created_at": 1718525180,
"kind": 1,
"tags": [
[
"proxy",
"https://mastodon.social/@bagder/112625266227554315",
"web"
],
[
"e",
"954dbcdf824b8cd5e2cdba3458ec9bba5c62e15044a679d85f1cadf2873bf416",
"",
"reply"
],
[
"p",
"c6ded81787e5543f1b20f09d744b089443524d9e6fe4a95aaeb4c07b42e012cb"
],
[
"e",
"3b057eaa8a589a84203a8742599b033ec66a702af75cc6c203f83c792b99a9f3",
"",
"root"
],
[
"proxy",
"https://mastodon.social/users/bagder/statuses/112625266227554315",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://mastodon.social/users/bagder/statuses/112625266227554315",
"pink.momostr"
]
],
"content": "closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii conversions for command lines that then allows users to insert unicode characters in cmdline argument when run on windows, and they are converted to their ASCII look-alike counterparts. Which can be abused to insert arguments and what not.\n\nNot a curl security flaw. Just the weirdest Windows feature I've seen in a while. And probably a security problem in many places.",
"sig": "f9f2a9015804955de5b3e6d7b5a2a313207935d2ae903f65b3e0a108e85bb186d25dde9cd7391afdaf08403c705881b861b921fe3126b11714f04e2dac6c0b8b"
}