Package: moreutils
Version: 0.20
Severity: normal
$ man utf-8 | grep 'Security' -A 9 | sed -e '1d; s/^ *//'
The Unicode and UCS standards require that producers of UTF-8 shall use
the shortest form possible, for example, producing a two-byte sequence
with first byte 0xc0 is non-conforming. Unicode 3.1 has added the
requirement that conforming programs must not accept non-shortest forms
in their input. This is for security reasons: if user input is checked
for possible security violations, a program might check only for the
ASCII version of "/../" or ";" or NUL and overlook that there are many
non-ASCII ways to represent these things in a non-shortest UTF-8 encod-
ing.
$ printf '\300\200' | iconv -f UTF-8 -t UTF-8
iconv: illegal input sequence at position 0
$ printf '\300\200' | isutf8 && echo valid
valid
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (900, 'testing'), (600, 'unstable'), (500, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.21-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=pl_PL (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/dash
Versions of packages moreutils depends on:
ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries
ii perl 5.8.8-7 Larry Wall's Practical Extraction
moreutils recommends no packages.
-- no debconf information
--
Jakub Wilk
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
