| 1 |
On 23/04/2012 19:17, Kevin Chadwick wrote: |
| 2 |
> On Sun, 22 Apr 2012 07:26:19 -0400 |
| 3 |
> Anthony G. Basile wrote: |
| 4 |
> |
| 5 |
>> 3) I agree that hardened should be mostly off by default. Eg. ipv6 is |
| 6 |
>> off by default. But as pressure mounts the switch to on by default may |
| 7 |
>> have to occur as it has now with unicode and will happen some day with ipv6. |
| 8 |
> Good stuff. |
| 9 |
> |
| 10 |
> There was a nasty input sanitisation avoiding bug in PHP that only |
| 11 |
> affected linux boxes with unicode enabled terminals. Maybe these bug |
| 12 |
> types have something to do with it. |
| 13 |
> |
| 14 |
> I'd be in two minds, personally I can't remember using unicode on a |
| 15 |
> terminal and you could use base64 as a workaround. Many many will use it |
| 16 |
> though, so the default should be enabled. |
| 17 |
> |
| 18 |
|
| 19 |
Equally I would be thinking that we can find some bugs due to unicode |
| 20 |
being off? Whether they would cause "security" failures is another matter. |
| 21 |
|
| 22 |
It's probably on the tipping point that ipv6/unicode needs decent testing |
| 23 |
|
| 24 |
Ed W |
Archives