[Python-Dev] Python-3.0, unicode, and os.environ

Glenn Linderman v+python at g.nevcal.com
Mon Dec 8 03:17:04 CET 2008


On approximately 12/7/2008 10:56 AM, came the following characters from 
the keyboard of Adam Olsen:

> You might receive a UTF-8 encoded file name from a malicious user,
> check if it contains something dangerous (like
> "../../../../../etc/password"), then decode it.  If your decoder isn't
> compliant (ie doesn't check for overly long sequences) then a
> b'\xC0\xAF' gets translated into u'/', bypassing your previous check.


You might indeed.

But if you are interested in checking for security issues, shouldn't you 
  _first_ decode into some canonical form, specifying what sorts of 
Unicode strictness (such as overlong sequences) to check for during the 
decode process, and once the string is in canonical form, _then_ do 
checks for various attacks, such as the ../ sequence you mention?

And with that order of operation, even if you don't reject overlong 
sequences, you have canonized them, and can recognize the resulting 
characters as good or bad.


-- 
Glenn -- http://nevcal.com/
===========================
A protocol is complete when there is nothing left to remove.
-- Stuart Cheshire, Apple Computer, regarding Zero Configuration Networking


More information about the Python-Dev mailing list