|
Boost : |
Subject: Re: [boost] [Locale] Security bug announcement - UTF-8 validation
From: Alex Perry (Alex.Perry_at_[hidden])
Date: 2013-01-04 12:03:35
On 04 January 2013 15:01 Jookia [mailto:166291_at_[hidden]] wrote :-
>
> Hello,
>
> Pardon my ignorance, but how would an invalid UTF-8 sequence cause a
> security threat? All I can think it would do is create garbage.
>
> I don't mean every day security threats, I mean any.
>
> Thanks,
> Jookia.
I'm not an expert in this field but I believe that invalid utf8 sequences have been used for several well documented attacks - the most common have been to disguise paths / url's to avoid validation routines which would discard these url's automatically - ie a HTTP get request for /../somefile which could (and has for some servers in the past) end up returning somefile which is living outside of the expected directory tree of retrievable documents.
http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html
Alex
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk