> I don't think this patch is enough -- either we need to escape the text
> completely or just dump it as hex instead of a string. One option would
> be to dump it in quotes as a string if all chars in the string are in
> the range 0x20-0x7e, and as hex otherwise. That slightly complicates the
> parsing, but not by much, and still gives you plain text in the majority
> of cases while protecting against abuse.

Dumping in hex instead of string would have a testing impact. Using a string in quotes would be a
smaller hit, but there still would be additional impact to test the "hex otherwise" case.



Kris Wilson
Linux Security
(512) 838-0126 T/L:678-0126
krisw@us.ibm.com