| 1 |
On Tue, 28 Feb 2006 12:47:33 -0500 |
| 2 |
solar <solar@g.o> wrote: |
| 3 |
|
| 4 |
> I forget where I read it but I thought that unicode lead to overflows |
| 5 |
> and was considered a general security risk. I wish I knew where I read |
| 6 |
> that but I'm unable to find it. |
| 7 |
|
| 8 |
Well, stuff I could find includes: |
| 9 |
|
| 10 |
http://www.kde.org/info/security/advisory-20060119-1.txt |
| 11 |
buggy UTF-8 decoder in KDE - this is an overflow error, which as |
| 12 |
ciaranm says is a risk applicable to anything. It's a bug in KDE, not |
| 13 |
in UTF-8 as such. Perhaps this is what was at the back of your mind. |
| 14 |
|
| 15 |
|
| 16 |
http://www.izerv.net/idwg-public/archive/0181.html |
| 17 |
risks of using UTF-8; in particular the use of separate validators |
| 18 |
which won't process things exactly the same way the application does. |
| 19 |
Also homograph risks associated with allowing more than one encoding for |
| 20 |
a character. |
| 21 |
|
| 22 |
http://www.eeye.com/html/Research/Advisories/AD20010705.html |
| 23 |
example of UTF-8(ish) used to fool IDSs by using alternative |
| 24 |
non-standard encodings that IDSs aren't aware of. |
| 25 |
This actually is another example of issues with secondary validators |
| 26 |
described in the link above - they're not guaranteed to parse things |
| 27 |
exactly the same way the application does. |
| 28 |
|
| 29 |
http://www.microsoft.com/mspress/books/sampchap/5612b.asp |
| 30 |
describes a number of risks of accepting UTF-8, including the above. |
| 31 |
|
| 32 |
|
| 33 |
So far I haven't found anything that could be considered a general |
| 34 |
security risk, but that doesn't prove much :) |
| 35 |
|
| 36 |
-- |
| 37 |
Kevin F. Quinn |
Archives