1 |
On 23/04/2012 19:17, Kevin Chadwick wrote: |
2 |
> On Sun, 22 Apr 2012 07:26:19 -0400 |
3 |
> Anthony G. Basile wrote: |
4 |
> |
5 |
>> 3) I agree that hardened should be mostly off by default. Eg. ipv6 is |
6 |
>> off by default. But as pressure mounts the switch to on by default may |
7 |
>> have to occur as it has now with unicode and will happen some day with ipv6. |
8 |
> Good stuff. |
9 |
> |
10 |
> There was a nasty input sanitisation avoiding bug in PHP that only |
11 |
> affected linux boxes with unicode enabled terminals. Maybe these bug |
12 |
> types have something to do with it. |
13 |
> |
14 |
> I'd be in two minds, personally I can't remember using unicode on a |
15 |
> terminal and you could use base64 as a workaround. Many many will use it |
16 |
> though, so the default should be enabled. |
17 |
> |
18 |
|
19 |
Equally I would be thinking that we can find some bugs due to unicode |
20 |
being off? Whether they would cause "security" failures is another matter. |
21 |
|
22 |
It's probably on the tipping point that ipv6/unicode needs decent testing |
23 |
|
24 |
Ed W |