Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re^2: UTF8 related proof of concept exploit released at T-DOSE

by Juerd (Abbot)
on Oct 14, 2007 at 23:06 UTC ( #644811=note: print w/replies, xml ) Need Help??


in reply to Re: UTF8 related proof of concept exploit released at T-DOSE
in thread UTF8 related proof of concept exploit released at T-DOSE

I would think that anyone writing a script that uses the "-T" flag, and expects to handle utf8 data from a tainted source, would prefer to read such input as ":raw", and always use Encode::decode() to convert it to perl-internal utf8 form.

Why go through that trouble if ":encoding(UTF-8)" does exactly the same thing, the same safe way, only with less code?

Using :raw with decode is exactly as safe as using :encoding(UTF-8), because it literally does the same things internally, only through a different wrapper :)

Now, :utf8 is unsafe (when reading), but this has nothing to do with taint mode. Of course, in the contrived example in the root node, an informed careful programmer would have done two things differently: they would have used :encoding and they would not have used \w. The scary part, however, is that many careful programmers don't know that what they're doing is dangerous!

Juerd # { site => 'juerd.nl', do_not_use => 'spamtrap', perl6_server => 'feather' }

  • Comment on Re^2: UTF8 related proof of concept exploit released at T-DOSE

Replies are listed 'Best First'.
Re^3: UTF8 related proof of concept exploit released at T-DOSE
by graff (Chancellor) on Oct 15, 2007 at 08:57 UTC
    Why go through that trouble if ":encoding(UTF-8)" does exactly the same thing, the same safe way, only with less code?

    If it is sufficient that the app simply never gets to see a malformed byte sequence (or anything following a malformed character) when reading from a source that is expected to be utf8, you're right -- better to handle it via the ":encoding(utf8)" layer in PerlIO.

    But if there's any need to diagnose the nature of the malformedness, or to recover any amount of usable data following a bad byte sequence within a given input record, then the extra steps involving "decode('utf8',$string,...)" are the only way to do that, I think.

      Using warnings takes care of most, but indeed if you want to catch it and do anything special with it, the extra step is the easiest way. Good point.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://644811]
help
Chatterbox?
[Corion]: As for somebody hosting national conferences, we don't always know the kind of connectors and aspect ratios available ;)
[ambrus]: Corion: well sure, but that's the similar to any printed document, and the margin is diminishing with today's technology. Video games no longer have to assume that the CRTs won't show the edges of the screen.
[Corion]: If you cram your slides with that much information, they might work in an "offline" situation but not very well for a live presentation IMO
[ambrus]: Corion: in that case I also ask the people who rent the conference rooms to tell conference organizers about the available tech.
[Corion]: ambrus: No, you're misunderstanding. If you place content too far on the left/right/top/ bottom, people might not see it because the view is obstructed ;)(
[Corion]: In Amsterdam, the screen went down to the bottom of the stage (60cm above ground) and the seating was on the ground, meaning that the rows in the back couldn't see the bottom of slides.
[Corion]: There also were some columns that meant that maybe you couldn't see the left/right edge of a slide.
[ambrus]: Corion: Sure. I've had a course in a 50 seat lecture hall that has two fucking columns in the middle.
[Corion]: Talking about it, the top should be fairly visible in the situations I've experienced at least. The top is uncomfortable for people in the first three rows, but that's life ;)
[ambrus]: The pillars are there because this is in the 6th floor of building R of BME, which is an attic that was built in after the original building, which is also why the elevator doesn't go that high and the windows are tiny.

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (12)
As of 2017-09-26 10:14 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    During the recent solar eclipse, I:









    Results (293 votes). Check out past polls.

    Notices?