Vulnerability Development mailing list archives
Re: special characters (HTTP)
From: Bluefish <11a () GMX NET>
Date: Sun, 6 Aug 2000 13:27:05 +0200
I believe most mayor httpds (apache, IIS etc) has delt with this problem long ago. However, some less wellknown httpd-softwares have had serious problems with this (checking that URL doesn't contain ".." BEFORE converting special characters) The issue was raised in the last cryptogram, where Schneier expressed his opinion that unicode, and the standards being built around it, are too complex so flawed code is very likely to be generated. Some of these problems are multiple ways to express whitespaces (space, tab etc) and different encoding schemes pending on what kind of application is using unicode (some need to send BASE64-alike etc) A similar problem, alas. The article is available at http://www.counterpane.com/ ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- special characters (HTTP) Ory Segal (Aug 03)
- Re: special characters (HTTP) Bluefish (Aug 06)
- Re: special characters (HTTP) Peter Tonoli (Aug 07)
- Re: special characters (HTTP) Mikael Olsson (Aug 08)
- Re: special characters (HTTP) Iván Arce (Aug 09)
- Re: special characters (HTTP) Peter Tonoli (Aug 07)
- Re: special characters (HTTP) Bluefish (Aug 06)
- <Possible follow-ups>
- Re: special characters (HTTP) netsec [davidv] (Aug 08)