Thanks Emmanuel for finding and fixing this issue. Checking the String injected into the KerberosString based on RFC is important.
Jiajia -----Original Message----- From: Emmanuel Lécharny [mailto:[email protected]] Sent: Tuesday, December 29, 2015 4:53 PM To: [email protected] Subject: KerberosString Hi, looking at teh KerberosString class, I think it's not doing the job it's suppose to do. Kerberos String is a restricted version of the ASN.1 GeneralString, limiting the chars that can be used to the ASCII sub-set (ie, 0x00..0x7F). There is no control whatsoever on the value you can inject into a KerberosString, and this is extremely dangerous from a interropability POV. IMO, we shuld override the methods that inject data into a KerberosString to enforce this mimitation. There are more things I'd like to say about the Asn1String class, but I'll submit another mail later ! Thanks !
