|
|
Boost : |
Subject: Re: [boost] [review] Review of Nowide (Unicode) starts today
From: Niall Douglas (s_sourceforge_at_[hidden])
Date: 2017-06-13 20:33:00
>> Why is the Windows-only strict validation a good thing?
>>
>> What attacks are prevented by not accepting WTF-8 in nowide::fopen ONLY
>> under Windows, and passing everything through unvalidated on POSIX?
>
> Ok...
>
> This is a very good question.
>
> On windows I need to convert for obvious reason.
>
> Now the question is what I accept as valid and what is not valid and
> where do I draw the line.
> ---------------------------------------------------------------------------------------------------------------------------
>
> Now as you have seen there are many possible "non-standard" UTF-8 variants.
>
> What should I accept?
I still strongly suggest you simply call RtlUTF8ToUnicodeN()
(https://msdn.microsoft.com/en-us/library/windows/hardware/ff563018(v=vs.85).aspx)
to do the UTF-8 conversion. Do **nothing** else.
Niall
-- ned Productions Limited Consulting http://www.nedproductions.biz/ http://ie.linkedin.com/in/nialldouglas/
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk