|
Boost : |
Subject: Re: [boost] [review] Review of Nowide (Unicode) starts today
From: Peter Dimov (lists_at_[hidden])
Date: 2017-06-12 21:05:57
Artyom Beilis wrote:
> Deny of Service Attack Example:
>
> - User creates a file with invalid UTF-16
> - System monitors the file system and adds it to the XML report in
> WTF-8 format
> - The central server does not accept the XML since it fails UTF-8
> validation
> - User does whatever he wants without monitoring
> - It removes the file
> - There were no reports generated during the period user needed -DOS
> attack
I can't help but note that the same attack would work under Unix. The user
can easily create a file with an invalid UTF-8 name. And, since the library
doesn't enforce valid UTF-8 on POSIX (right?) it would pass through.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk