[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Unicode 3.0.1 fixes UTF-8 spec security problem
> -----Original Message-----
> From: H. Peter Anvin [mailto:hpa@xxxxxxxxx]
...
> > Please read my message again! No security issue that has surfaced
> > do as far I know involve non-ASCII characters, in
> particular none of them
> > can (yet) involve any supplementary characters (non-BMP characters),
> > since none have been allocated yet. However, when
> allocated, I don't
> > see it likely that anyone will use supplementary characters to spell
> > commands or use them as "magic" characters (like e.g. /) in
> some way.
>
> Please read *MY* message again! I'm pointing to a known issue when
> string A and string B compare unequal, and later compare equal. There
> *ARE* known security issues with that.
Other multiple spellings, that are not related to "overlong" UTF-8 sequences
which is what we were discussing, is irrelevant to any fix of UTF-8. No fix
to UTF-8 rules can do anything about other kinds of multiple spellings of
course. There are other multiple spellings that are related to Unicode,
though not to UTF-8 in particular: canonically equivalent forms. Canonical
equivalences, and wether to normalise or make no normalisation are
issues that need to be considered from a security point of view, in
particular
when computing digital signatures. But that was not what we were talking
about, nor other kinds of multiple spellings, like "case insensitivity" or
the use of alternative punctuation with the same 'meaning'.
/kent k
-
Linux-UTF8: i18n of Linux on all levels
Archive: http://mail.nl.linux.org/lists/