Re: Win IE 7b2 and UTF-8

• Previous message: Philippe Verdy: "Re: Win IE 7b2 and UTF-8"
• In reply to: Mark Davis: "Re: Win IE 7b2 and UTF-8"
• Next in thread: Philippe Verdy: "Re: Win IE 7b2 and UTF-8"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Now I fear that this exposed bug will be used in some malwares or virus, trying to defeat the security checks, notably to create alternate user names on a system that get the same privileges as another user, or to pass through afilenamesafety check on a server or active component embedded in a web page, to overwrite critical system files

(think about all the possible invalid UTF-8 encoding of the Yen character on a Japanese Windows system, and how the security check, which correctly assumed that a filename that decodes successfully to UTF-8 and does not contain any U+FFFD is effectively correctly UTF-8-encoded, and so would accept a filename which will then be interpreted liberally as if this incorrectly encoded Yen symbol was the Japanese pathname separator...)

  ----- Original Message -----
  From: Mark Davis
  To: Doug Ewell
  Cc: Unicode Mailing List ; Keutgen, Walter ; Philippe Verdy
  Sent: Saturday, May 13, 2006 7:32 PM
  Subject: Re: Win IE 7b2 and UTF-8

  One option is to map any ill-formed UTF-8 sequence to a safe replacement, like U+FFFD. That prevents the non-shortest form sequences from causing security problems.

• Next message: Keutgen, Walter: "RE: Win IE 7b2 and UTF-8"
• Previous message: Philippe Verdy: "Re: Win IE 7b2 and UTF-8"
• In reply to: Mark Davis: "Re: Win IE 7b2 and UTF-8"
• Next in thread: Philippe Verdy: "Re: Win IE 7b2 and UTF-8"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.5 : Sun May 14 2006 - 22:22:34 CDT