1 |
On Tue, 28 Feb 2006 12:47:33 -0500 |
2 |
solar <solar@g.o> wrote: |
3 |
|
4 |
> I forget where I read it but I thought that unicode lead to overflows |
5 |
> and was considered a general security risk. I wish I knew where I read |
6 |
> that but I'm unable to find it. |
7 |
|
8 |
Well, stuff I could find includes: |
9 |
|
10 |
http://www.kde.org/info/security/advisory-20060119-1.txt |
11 |
buggy UTF-8 decoder in KDE - this is an overflow error, which as |
12 |
ciaranm says is a risk applicable to anything. It's a bug in KDE, not |
13 |
in UTF-8 as such. Perhaps this is what was at the back of your mind. |
14 |
|
15 |
|
16 |
http://www.izerv.net/idwg-public/archive/0181.html |
17 |
risks of using UTF-8; in particular the use of separate validators |
18 |
which won't process things exactly the same way the application does. |
19 |
Also homograph risks associated with allowing more than one encoding for |
20 |
a character. |
21 |
|
22 |
http://www.eeye.com/html/Research/Advisories/AD20010705.html |
23 |
example of UTF-8(ish) used to fool IDSs by using alternative |
24 |
non-standard encodings that IDSs aren't aware of. |
25 |
This actually is another example of issues with secondary validators |
26 |
described in the link above - they're not guaranteed to parse things |
27 |
exactly the same way the application does. |
28 |
|
29 |
http://www.microsoft.com/mspress/books/sampchap/5612b.asp |
30 |
describes a number of risks of accepting UTF-8, including the above. |
31 |
|
32 |
|
33 |
So far I haven't found anything that could be considered a general |
34 |
security risk, but that doesn't prove much :) |
35 |
|
36 |
-- |
37 |
Kevin F. Quinn |