Closed Bug 50702 Opened 24 years ago Closed 24 years ago

UTF-8 decoder accepts overlong sequences

Categories

(Core :: Internationalization, defect, P3)

defect

Tracking

()

VERIFIED FIXED
mozilla0.9

People

(Reporter: jgmyers, Assigned: ftang)

References

()

Details

(Keywords: intl, Whiteboard: have fix, awaiting review & approval)

Attachments

(2 files)

The UTF-8 decoder incorrectly accepts overlong sequences, leaving a potential path for attackers to get past input validation.
Attached patch Proposed fix (deleted) — Splinter Review
Status: NEW → ASSIGNED
Keywords: nsbeta3, review
Whiteboard: have fix, awaiting review & approval
john- sorry, I have no idea what do you mean "overlong sequences" can you put some example here and describe the problem clearly?
Section 4 of the URL associated with this bug contains a full description and numerous examples of overlong sequences.
An overlong sequence is a character that is encoded in UTF-8 using more octets than necessary. For example, the UTF-8 sequence "c0 af" is currently decoded by Mozilla's UTF-8 decoder as U+002F. This is a security problem as it would allow, for example, an attacker to get a U+002F character past an input validity checker which attempts to prohibit U+002F characters by prohibiting "2f" octets in data it knows is in UTF-8. As another example, an attacker could encode a U+0000 character as "c0 80", allowing the attacker to truncate a string that is U+0000 terminated.
>leaving a potential path for attackers to get past input validation. ??? 1. i don't think we currently have any "input validation" in our code. 2. If we do, we should do that in the UCS2 space, not in the UTF8 space.
erik- can you help to fix this ? Mark it as M23
Assignee: jgmyers → erik
Status: ASSIGNED → NEW
Target Milestone: --- → M23
This is now necessary, since The Unicode Standard version 3.0.1 forbids accepting overlong sequences. Take a look at: http://www.unicode.org/unicode/uni2errata/UTF-8_Corrigendum.html
Keywords: intl
What's the status on this bug? Who is waiting on reviews, etc?
I am waiting for a review. I have heard nothing.
reassign to ftang mark it as moz 0.9
Assignee: erik → ftang
Keywords: nsbeta3patch
Target Milestone: --- → mozilla0.9
accept
Status: NEW → ASSIGNED
sr=ftang
wait, I want to look at it again.
I read it again. It is ok. sr=ftang again.
That's r=ftang as well?
ftang is not on the super reviewer list, but I am. sr=erik (Maybe ftang can change his sr to r.)
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified as fixed (2-22 trunk build).
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: