decapsulate uses a substring matching technique to find the subaddress to be removed.
However, there is no safeguard for this substring to be part of content before the subaddress, eg. an IP address.
This PR adds a test that crashes if the vulnerability exist:
decapsulate
uses a substring matching technique to find the subaddress to be removed. However, there is no safeguard for this substring to be part of content before the subaddress, eg. an IP address.This PR adds a test that crashes if the vulnerability exist:
I am not sending a fix right now, because I think the best way to fix that would be to change the internal structure of Multiaddr. See issue #19