Re: Win IE 7b2 and UTF-8

From: Philippe Verdy (
Date: Sun May 14 2006 - 22:19:22 CDT

  • Next message: Keutgen, Walter: "RE: Win IE 7b2 and UTF-8"

    Now I fear that this exposed bug will be used in some malwares or virus, trying to defeat the security checks, notably to create alternate user names on a system that get the same privileges as another user, or to pass through afilenamesafety check on a server or active component embedded in a web page, to overwrite critical system files

    (think about all the possible invalid UTF-8 encoding of the Yen character on a Japanese Windows system, and how the security check, which correctly assumed that a filename that decodes successfully to UTF-8 and does not contain any U+FFFD is effectively correctly UTF-8-encoded, and so would accept a filename which will then be interpreted liberally as if this incorrectly encoded Yen symbol was the Japanese pathname separator...)

      ----- Original Message -----
      From: Mark Davis
      To: Doug Ewell
      Cc: Unicode Mailing List ; Keutgen, Walter ; Philippe Verdy
      Sent: Saturday, May 13, 2006 7:32 PM
      Subject: Re: Win IE 7b2 and UTF-8

      One option is to map any ill-formed UTF-8 sequence to a safe replacement, like U+FFFD. That prevents the non-shortest form sequences from causing security problems.

    This archive was generated by hypermail 2.1.5 : Sun May 14 2006 - 22:22:34 CDT