Qiita - 人気の記事見た目と中身がズレるわけ 文字化けの正体とUTF-8・CRLF入門
https://qiita.com/nucomiya/items/198418fa614e6a41098c?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items
Kees N ✅🔻Many people gave feedback, too many sites would not accept "just LF" in http headers, and Richard Hipp changed the proposal:
Call to action by Richard Hipp, best known as creator of #SQLite, to stop using the carriage-return/linefeed (CRLF) sequence alltogether. Linefeed (LF) is never used as "just a linefeed", we better rename the U+000a character to what it is really used for: Newline (NL). Carriage return (CR) should only be used to overwrite on the same line.
He substantiates his point here:
https://fossil-scm.org/home/ext/crlf-harmful.md
C.> If some other program (on Windows) is having a problem parsing or manipulating the pyproject.tom
>l file because it insists on using only plain newlines as line endings, that's almost certainly a bug in that tool.
It would also be a #bug in a #Linux/#Unix tool if it couldn't handle #CRLF endings in such files.
But knowing this doesn't help the OP, who wants Unix line endings on a #Windows platform. A lot of tools don't make allowance for that.
1/2
NataliaTheDrowned2
Pit mit "Klatsch"Der Fairness halber muss ich sagen, dass es nix mit dem #C17 von #Microsoft zu tun hatte. Am Ende des Tages provozierte #Windows mit seinem #CRLF statt #LF am Ende von Zeilen in Textdateien eine Crashkette. Alle OS kompilieren das jetzt ab #C99...
Aber ich konnte #Fefe mit der Sache "triggern"...😂 - und wir haben gestern 6x hin und her gemailt...
Der ist ja schon ein "Sauhund" aber ich mag und schätze ihn sehr!
Von ihm: "Du kannst doch Microsoft nicht anscheißen..." - war am geilsten... 🤭
Geekmaster 👽
Found a great #opensource tool to scan sites for a laundry list of vulnerabilities https://github.com/h4r5h1t/webcopilot.
Just used it to scan all my company domains, works great!
The tools integrated into this single app are the same tools "security researchers" use to scan sites for #xss #SQLi #ssrf #crlf #lfi #subdomaintakeover #openredirect, etc. vulnerabilities - into a single CLI tool.
Can also help avoid/confirm those "beg-bounty" situations where a simple misconfiguration is touted as a "critical vulnerability" because someone use a quick scanning tool to determine that sub-domain take-over is possible (very common, not critical, easy to fix), or missing DMARC records are present (which 98% of all Internet sites have issues with, and is very easy to fix) to demand a cash reward so they can "share additional critical vulnerabilities" that aren't a thing - they just want money.
Have fun!
GitHub - h4r5h1t/webcopilot: An automation tool that enumerates subdomains then filters out xss, sqli, open redirect, lfi, ssrf and rce parameters and then scans for vulnerabilities.
An automation tool that enumerates subdomains then filters out xss, sqli, open redirect, lfi, ssrf and rce parameters and then scans for vulnerabilities. - h4r5h1t/webcopilot
Aloïs Thévenot 
CRLF Injection Shenanigans - https://moopinger.github.io/blog/crlf/injection/2024/03/12/CRLF-Injection-Shenanigans.html #appsec #crlf
Gea-Suan LinSMTP Smuggling 的安全漏洞 (LF 的問題),以及 Postfix 被無視的問題
在 Hacker News 上看到「SM
#Computer #Mail #Murmuring #Network #Security #Software #37c3 #consult #cr #crlf #lf #newline #sec #security #smtp #smuggling #spf #talk #vulnerability
SMTP Smuggling 的安全漏洞 (LF 的問題),以及 Postfix 被無視的問題
在 Hacker News 上看到「SMTP Smuggling – Spoofing Email Worldwide (sec-consult.com)」這個攻擊,原文在「SMTP Smuggling - Spoofing E-Mails Worldwide」。 開頭的圖片把大方向解釋出來了,這是利用不同的 SMTP server 實作上對怎麼結束 DATA 的處理方式不同,這個問題會出現在兩組 SMTP server 丟信件時: 更細節的說,是遇到對於非 \r\n.
Osunderdog