Boost logo

Boost :

Subject: Re: [boost] [Locale] Security bug announcement - UTF-8 validation
From: Alex Perry (Alex.Perry_at_[hidden])
Date: 2013-01-04 12:03:35

On 04 January 2013 15:01 Jookia [mailto:166291_at_[hidden]] wrote :-

> Hello,
> Pardon my ignorance, but how would an invalid UTF-8 sequence cause a
> security threat? All I can think it would do is create garbage.
> I don't mean every day security threats, I mean any.
> Thanks,
> Jookia.

I'm not an expert in this field but I believe that invalid utf8 sequences have been used for several well documented attacks - the most common have been to disguise paths / url's to avoid validation routines which would discard these url's automatically - ie a HTTP get request for /../somefile which could (and has for some servers in the past) end up returning somefile which is living outside of the expected directory tree of retrievable documents.


Boost list run by bdawes at, gregod at, cpdaniel at, john at