I whakahē a Daniel Stenberg, te kaituhi o te taputapu curl mō te tuku me te whiwhi raraunga whatunga, i te whakamahinga o ngā taputapu AI i roto i te pūrongo ngoikoretanga. Kei roto i aua pūrongo ngā mōhiohio taipitopito, he mārama te reo, ā, he ahua kounga teitei, engari ki te kore he tātaritanga whakaaro nui, ka taea e rātou te tinihanga, ka whakakapi i ngā raruraru tūturu ki ngā ihirangi kounga teitei, rite ki te para.
Kei te kaupapa Curl ngā utu mō te tautuhi i ngā ngoikoretanga hou, ā, kua tae mai ngā pūrongo 415 mō ngā take pea, 64 anake i whakaūtia he ngoikoretanga, ā, 77 he take kore-haumarutanga. Nō reira, 66% o ngā pūrongo katoa kāore he kōrero whai hua, ā, he moumou noa iho te wā o ngā kaiwhakawhanake i taea te whakapau ki tētahi mea whai hua ake.
Ka whakapau kaha ngā kaiwhakawhanake ki te tātari i ngā pūrongo koretake, me te tirotiro anō i ngā mōhiohio i ngā wā maha, nā te mea ka whakamanahia ngā mōhiohio e te kounga tirohanga, ka puta te whakaaro kua hē te mārama o te kaiwhakawhanake. I tētahi atu taha, he iti noa te kaha o te kaituku ki te whakaputa i tētahi pūrongo pēnei, kāore e aro ki te manatoko i te raru tūturu, engari ka tārua noa i ngā raraunga i riro mai i ngā kaiawhina AI, me te tumanako ka waimarie ia i te whakataetae ki te toa i tētahi utu.
E rua ngā tauira o aua pūrongo para. I te rā i mua i te whakaaturanga kua whakaritea mō ngā mōhiohio e pā ana ki tētahi ngoikoretanga nui (CVE-2023-38545) i tukuna i te marama o Oketopa, i tukuna he pūrongo mā Hackerone e kī ana kua tukuna he papaki me tētahi whakatikatika ki te marea. Ko te mea pono, kei roto i te pūrongo he ranunga o ngā meka mō ngā take rite me ngā wāhanga poto o ngā mōhiohio taipitopito mō ngā ngoikoretanga o mua, i kohia e te kaiawhina Bard AI a Google. Ko ngā mōhiohio i puta mai i te ahua hou me te whai tikanga, engari kāore i te hono ki te ao tūturu.
Ko te tauira tuarua e pā ana ki tētahi pūrongo mō te waipuke o te arai i roto i tētahi kaiwhakahaere WebSocket i tae mai i te 28 o Tīhema, i tukuna mai e tētahi kaiwhakamahi i mua i te pūrongo i ngā ngoikoretanga ki ngā kaupapa maha mā Hackerone. I whakahuahia e te pūrongo tētahi tikanga mō te tārua anō i te take, mā te whakamahi i ngā kupu whānui mō te tuku tono kua whakarerekētia me te uara nui ake i te arai i whakamahia i te wā e tārua ana me te strcpy. I whakaratohia hoki e te pūrongo tētahi tauira o tētahi whakatikatika (te whakakapi i te strcpy ki te strncpy) me tētahi hononga ki te rārangi waehere "strcpy(keyval, randstr)" i whakapono te kairīpoata kei roto te hapa.
E toru ngā wā i tirohia ai e te kaiwhakawhanake ngā mea katoa, ā, kāore i kitea he raruraru, engari nā te mea i tuhia te pūrongo me te maia, ā, i whakaurua hoki he whakatikatika, i whakaaro ia kei te ngaro tetahi mea. Nā te ngana ki te whakamārama me pēhea te karo a te kairangahau i te tirotiro rahi mārama i mua i te karangatanga strcpy me te iti o te rahi o te pūrua keyval i ngā raraunga kua pānuihia, i puta ai he whakamārama taipitopito, engari kāore i te whai kōrero, i whakahoki noa i ngā take whānui o ngā waipuke pūrua kāore e pā ana ki te waehere Curl motuhake. He rite ngā whakautu ki te kōrero ki tētahi kaiawhina AI, ā, i muri i te whakapau i te haurua o te rā e ngana ana ki te rapu i te āhua o te putanga mai o te raruraru, ka whakapono te kaiwhakawhanake kāore he ngoikoretanga.
Source: opennet.ru
