Re: Of Unicode in the next Lua version

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Of Unicode in the next Lua version
From: Patrick Donnelly <batrick@...>
Date: Tue, 18 Jun 2013 15:51:01 -0400

On Sun, Jun 16, 2013 at 7:30 AM, David Heiko Kolf <david@dkolf.de> wrote:
> The last point, the non-canonical UTF-8 encodings, is actually a huge
> security risk that already opened holes in the field.
>
> UTF-8 is quite often used as just an extension to ASCII (which it was
> meant to be) and so some filters checked that URLs don't use "../" to
> access upper directories.  They did not check all the non-canonical ways
> of encoding dots and slashes so these paths went through the filter.  At
> some point (I guess just before the OS API) the UTF-8 was converted
> "forgivingly" to UTF-16 and suddenly the dangerous paths were used.
>
> That is the reason why the standards say that the conversion of UTF-8 to
> codepoints must not tolerate non-canonical encodings but either reject
> the string completely or put some codepoint in there that signals an
> encoding error (though I do not know which codepoint that was).

Coincidentally, Spotify had problems with this reported in a blog post
today [1].

[1] http://labs.spotify.com/2013/06/18/creative-usernames/

--
Patrick Donnelly

References:
- Of Unicode in the next Lua version, Pierre-Yves Gérardy
- Re: Of Unicode in the next Lua version, Roberto Ierusalimschy
- Re: Of Unicode in the next Lua version, Pierre-Yves Gérardy
- Re: Of Unicode in the next Lua version, Jay Carlson
- Re: Of Unicode in the next Lua version, Tim Hill
- Re: Of Unicode in the next Lua version, David Heiko Kolf

Prev by Date: Re: LuaSQLite3 compile error
Next by Date: wish to contact Pars Korata
Previous by thread: Re: Of Unicode in the next Lua version
Next by thread: Re: Of Unicode in the next Lua version
Index(es):
- Date
- Thread