WebApp Sec mailing list archives

Re: Canonicalization

From: Andrew van der Stock <vanderaj () greebo net>
Date: Sat, 22 Apr 2006 23:19:32 +1000

Rossen,

in answer to your query, sometimes canoncalization to a simplest formcan be very challenging. For example, LDAP data by its nature mustcope with names in many languages, including quirks of English(O'Neill, surnames with spaces, etc). Just because computer programscannot handle a wide range of inputs safely doesn't mean these people(which includes me btw ... I hate being filed incorrectly under "S",or referred to as Mr Stock) should bend to the will of the computer.

Half the issue comes from bad query / data access patterns. We knowthat if we intermingle data and instructions/programs, injection ismade trivially easy. Why do people promulgate new standards (XPathqueries, etc) which encourage a poor pattern?

If anyone watches "Little Britain", this is basically along the linesof "The computer says noooo". It's not the computer. It's us.


So basically, what's needed is:

* Frameworks which canoncalize properly by default

* Frameworks that provide only non-intermingled data query / accesspatterns* Frameworks that provide easy access to de/encoding functions for awide variety of data types to clean old data* System designers to consider the many different needs of humaninput. For example, airline booking systems really need to stopmaking a single word out of my surname. For legal reasons, my surnameis three words. Making it one word means legally that it's not meflying.

I'd really like to return to the days when it was safe to take anyold thing, but it's not probably (or achievable) any time soon.


thanks,
Andrew


On 21/04/2006, at 12:22 PM, Rossen Raykov wrote:

Andrew,
Is that “simplest form” achievable? One can perform many anddifferent encodings making the task of decoding them very difficultand resource consuming. Usually it is cheaper and safeties to dosemantic checkup and treat the input as erroneous if it does notconfirm to the expected input format.
For example if you are expecting number anything different than anumber is error. If you expect alphanumeric – verify if the inputis composed only by alphas and numbers...

Attachment: smime.p7s
Description:

Current thread:

Re: Canonicalization, (continued)
- Re: Canonicalization Yann (Apr 12)
  - Re: Canonicalization Rogan Dawes (Apr 12)
- RE: Canonicalization PPowenski (Apr 12)
- Re: Canonicalization Andrew van der Stock (Apr 12)
  - Re: Canonicalization Rossen Raykov (Apr 20)
    - Re: Canonicalization Peter Conrad (Apr 21)
    - Re: Canonicalization exon (Apr 21)
    - Re: Canonicalization Jason Murray (Apr 23)
    - Re: Canonicalization exon (Apr 24)
    - Re: Canonicalization Eoin (Apr 21)
    - Re: Canonicalization Andrew van der Stock (Apr 22)
- Re: RE: Canonicalization jovan . burd (Apr 13)
- Re: Re: Canonicalization susam_pal (Apr 13)
  - Re: Canonicalization Rogan Dawes (Apr 14)
  - Re: Canonicalization Jason (Apr 14)
  - Re: Re: Canonicalization Mariusz Pękala (Apr 14)
    - Re: Re: Canonicalization Peter Conrad (Apr 18)