On Sat, 7 Aug 2004, Greg Hudson wrote:
> On Wed, 2004-08-04 at 13:39, Peter N. Lundblad wrote:
> > We have code to validate UTF-8 and we use it when converting to UTF-8.
> > But, when we receive UTF-8 (possibly URI-encoded), who makes sure this is
> > valid? Is this guaranteed by the iconvs that we use?
>
> I don't think iconv takes care of it, but our utf.c appears to have some
> UTF-8 validation code as of r8581.
>
Yes, but it seems like it is only used when converting *to* UTF-8. So, if
we for example check for "/../" in a server and then convert from UTF-8,
evil clients might use long UTF-8 sequences to represent these characters
and circumvent our checks. If we add validation to the conversions from
UTF-8, then we shouldn't get to the operating system in such cases.
I'll do this if no one objects.
Regards,
//Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Aug 8 22:58:53 2004