Oddbean new post about | logout
f32a3990 | 1 years ago (raw) | export | reply | flag 
 Did y'all notice librsvg's CVE from right before GUADEC?  

Zac Sims just published a very nice analysis of how the Canva engineers found the bug.  

When URL parsers disagree: Discovery and walkthrough of CVE-2023-38633 in librsvg - https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
Wesley Moore | 1 years ago (raw) | root | parent | reply | flag 
 @84494f2b ahh now I know why you were asking about query params on file URLs a few months ago :)