I think you can safely assume that apps exist that are not well behaved.
For this type of security problem, I always recommend validating strings after any possible transformations occur. Any sort of conversion could be a problem. Normally I talk about this in a "convert from non-Unicode code page to Unicode" context, eg: make sure you validate AFTER the conversion, but the concept applies most any time.
Unfortunately many apps do strange things.
-Shawn
-----Original Message-----
From: unicode-bounce_at_unicode.org [mailto:unicode-bounce_at_unicode.org] On Behalf Of Costello, Roger L.
Sent: Friday, March 8, 2013 7:55 AM
To: unicode_at_unicode.org
Subject: Are there any pre-Unicode 5.2 applications still in existence?
Hi Folks,
I have learned that:
In some versions prior to Unicode 5.2, conformance clause C7
allowed the deletion of noncharacter code points [1]
Are there still in existence applications which delete noncharacter code points from strings?
Are there any pre-Unicode 5.2 applications still in existence?
The paper at [1] describes the security risk with deleting noncharacter code points. Is this risk still a concern, or can one assume that there are no more applications which delete noncharacter code points?
/Roger
[1] http://www.unicode.org/reports/tr36/#Deletion_of_Noncharacters
Received on Fri Mar 08 2013 - 12:47:45 CST
This archive was generated by hypermail 2.2.0 : Fri Mar 08 2013 - 12:47:47 CST