Changeset 42


Ignore:
Timestamp:
Mar 28, 2011, 7:34:05 PM (9 years ago)
Author:
duerst@…
Message:

applied first hunk of proposed changes in ticket 18 (refer to UTR 36 for details on UTF-8 decoding security issues)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-iri-3987bis/draft-ietf-iri-3987bis.xml

    r41 r42  
    22562256particular care for IRIs.</t>
    22572257<t>Incorrect encoding or decoding can lead to security problems.
    2258 In particular, some UTF-8 decoders do not check against overlong
    2259 byte sequences. As an example, a "/" is encoded with the byte 0x2F
    2260 both in UTF-8 and in US-ASCII, but some UTF-8 decoders also wrongly
    2261 interpret the sequence 0xC0 0xAF as a "/". A sequence such as "%C0%AF.."
    2262 may pass some security tests and then be interpreted
    2263 as "/.." in a path if UTF-8 decoders are fault-tolerant, if conversion
    2264 and checking are not done in the right order, and/or if reserved
    2265 characters and unreserved characters are not clearly distinguished.</t>
     2258For example, some UTF-8 decoders do not check against overlong
     2259byte sequences. See <xref target='UTR36'/> Section 3 for details.</t>
    22662260
    22672261<t>There are various ways in which "spoofing" can occur with IRIs.
Note: See TracChangeset for help on using the changeset viewer.