Re: Unicode 3.0.1 fixes UTF-8 spec security problem

["H. Peter Anvin" <hpa@xxxxxxxxx>]

Followup to:  <C110A2268F8DD111AA1A00805F85E58D0115A8DC@ntgbg1>
By author:    Karlsson Kent - keka <keka@xxxxx>
In newsgroup: linux.utf8
> > 
> > Yes, it really is.  Anyone knows why they adopted this half-measure
> > (it fixes 90% of the problem, but it would be nice if they had avoided
> > this additional wart.)
> 
> Yes, but there are just too many "UCS-2 only" implementations deployed.
> They too may (soon) be faced with UTF-16 data, but will not special treat
> the "surrogate" range. There is no particular security issue for the
> non-BMP (non-ASCII really) characters, so leaving the already deployed
> "UCS-2 only" implementations still Unicode conformant is unproblematical 
> (from a security point of view), while requireling their update (to make
> them conformant) would  have been problematical (from a Unicode Consortium
> point of view).

Ummm... YES there is such a security issue: there are security issues
caused by allowing a single string to be encoded in multiple different
ways.  In fact, a whole slew of security holes in especially
Microsoft-based web software (servers and clients) have been caused
just by this -- Microsoft OS's being more vulnerable to this since
unlike Unix they have lots of redundant spellings.

       -hpa
-- 
<hpa@xxxxxxxxxxxxx> at work, <hpa@xxxxxxxxx> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
-
Linux-UTF8:   i18n of Linux on all levels
Archive:      http://mail.nl.linux.org/lists/