Re: Unicode 3.0.1 fixes UTF-8 spec security problem

["H. Peter Anvin" <hpa@xxxxxxxxx>]

Followup to:  <C110A2268F8DD111AA1A00805F85E58D0115A8E0@ntgbg1>
By author:    Karlsson Kent - keka <keka@xxxxx>
In newsgroup: linux.utf8
> > 
> > Ummm... YES there is such a security issue: there are security issues
> > caused by allowing a single string to be encoded in multiple different
> > ways.  In fact, a whole slew of security holes in especially
> > Microsoft-based web software (servers and clients) have been caused
> > just by this -- Microsoft OS's being more vulnerable to this since
> > unlike Unix they have lots of redundant spellings.
> 
> Please read my message again!  No security issue that has surfaced
> do as far I know involve non-ASCII characters, in particular none of them
> can (yet) involve any supplementary characters (non-BMP characters),
> since none have been allocated yet.  However, when allocated, I don't
> see it likely that anyone will use supplementary characters to spell
> commands or use them as "magic" characters (like e.g. /) in some way.

Please read *MY* message again!  I'm pointing to a known issue when
string A and string B compare unequal, and later compare equal.  There
*ARE* known security issues with that.

> In the unlikely event that that happens, also the "irregular" case may
> some day be made "illegal" too.  The "fix" done to the Unicode conformace
> rules illegalises the "multiple coding" issue with UTF-8 and BMP
> characters, while not making non-conformant nearly every currently
> deployed implementation of Unicode, except for a few places where
> there may be security issues.

	-hpa
-- 
<hpa@xxxxxxxxxxxxx> at work, <hpa@xxxxxxxxx> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
-
Linux-UTF8:   i18n of Linux on all levels
Archive:      http://mail.nl.linux.org/lists/