[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: UTF8 validation

From: Peter N. Lundblad <peter_at_famlundblad.se>
Date: 2004-08-08 23:11:25 CEST

On Sat, 7 Aug 2004, Greg Hudson wrote:

> On Wed, 2004-08-04 at 13:39, Peter N. Lundblad wrote:
> > We have code to validate UTF-8 and we use it when converting to UTF-8.
> > But, when we receive UTF-8 (possibly URI-encoded), who makes sure this is
> > valid? Is this guaranteed by the iconvs that we use?
> I don't think iconv takes care of it, but our utf.c appears to have some
> UTF-8 validation code as of r8581.
Yes, but it seems like it is only used when converting *to* UTF-8. So, if
we for example check for "/../" in a server and then convert from UTF-8,
evil clients might use long UTF-8 sequences to represent these characters
and circumvent our checks. If we add validation to the conversions from
UTF-8, then we shouldn't get to the operating system in such cases.

I'll do this if no one objects.


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Aug 8 22:58:53 2004

This is an archived mail posted to the Subversion Dev mailing list.