>> Daniel Blumenthal <[EMAIL PROTECTED]> wrote:
>> As a security concern, you might not want to allow full UTF-8 usernames.
>> There are a number of invisible characters (from the soft hyphen to various
>> connector characters) which people can use to spoof other users' names.
On Sun, Mar 05, 2006 at 07:09:52PM -0800, Dave wrote:
> Hi Daniel,
>
> I am not quite understanding. Is it a security hole?
> User needs a username and password to login to the web application.
It _can_ be a security hole, but it does not necessarily _have_ to be
one. It certainly can make things a bit trickier to get right.
The problem is that two usernames that are actually different can
_look_ the same. For example, say you are looking at two usernames, both
of which appear on your screen as "joe-bob". It is possible that one of
them uses an actual ascii hyphen character, while the other uses the
unicode soft-hyphen.
This can lead to all sorts of problems. e.g. let's say "joe-bob" (the
soft-hyphen one) send you a message through your web-app (thus supposedly
proving he is authorized to ask) asking you to cancel his account.
You go and type "joe-bob" (with an ascii hyphen) into your delete-a-user
form and end up deleting the wrong user.
eric
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
