On 09/18/2014 06:28 PM, David E. Wheeler wrote:
On Jul 22, 2014, at 10:38 PM, David E. Wheeler wrote:

As I’ve solved my immediate problem, I’m fine to let you guys decide whether or not to change UTF8_DISALLOW_ILLEGAL_INTERCHANGE to exclude UTF8_DISALLOW_NONCHAR. Do you want a ticket to track the issue, or is https://rt.perl.org/Public/Bug/Display.html?id=121937 sufficient (I can add a comment there if you’d like, access controls allowing).
Karl, what say you?


Background: It turns out that the Corrigendum #9 is controversial in
the Unicode community. It was done during the course of a single
meeting, and not subjected to the usual public review. The wording of
the Standard in regards to this has not been finalized.

We cannot just change this. It would open up security holes.
Applications likely have been written assuming Non-characters will not
be in the input, and thus are usable as sentinels, without fear of
encountering one from user-data. If we were to make this change that
would no longer be true, and a long-standing module could silently be
exposed to an attack.

The feedback from Unicode on this was unanimous, even from the people
who were the ones who pushed for #9. If you have an existing library
(as essentially we do) that excluded non-chars, you have to continue to
exclude them to prevent security holes from opening up.

The way out of this is to have some API to tell Encode that
non-characters are acceptable.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 11 of 13 | next ›
Discussion Overview
groupperl5-porters @
postedJul 16, '14 at 10:03p
activeSep 19, '14 at 4:23p



site design / logo © 2018 Grokbase