From: Philippe Verdy (verdy_p@wanadoo.fr)
Date: Sun May 14 2006 - 22:19:22 CDT
Now I fear that this exposed bug will be used in some malwares or virus, trying to defeat the security checks, notably to create alternate user names on a system that get the same privileges as another user, or to pass through afilenamesafety check on a server or active component embedded in a web page, to overwrite critical system files
(think about all the possible invalid UTF-8 encoding of the Yen character on a Japanese Windows system, and how the security check, which correctly assumed that a filename that decodes successfully to UTF-8 and does not contain any U+FFFD is effectively correctly UTF-8-encoded, and so would accept a filename which will then be interpreted liberally as if this incorrectly encoded Yen symbol was the Japanese pathname separator...)
----- Original Message -----
From: Mark Davis
To: Doug Ewell
Cc: Unicode Mailing List ; Keutgen, Walter ; Philippe Verdy
Sent: Saturday, May 13, 2006 7:32 PM
Subject: Re: Win IE 7b2 and UTF-8
One option is to map any ill-formed UTF-8 sequence to a safe replacement, like U+FFFD. That prevents the non-shortest form sequences from causing security problems.
This archive was generated by hypermail 2.1.5 : Sun May 14 2006 - 22:22:34 CDT