Are there any pre-Unicode 5.2 applications still in existence?
Hi Folks, I have learned that: In some versions prior to Unicode 5.2, conformance clause C7 allowed the deletion of noncharacter code points [1] Are there still in existence applications which delete noncharacter code points from strings? Are there any pre-Unicode 5.2 applications still in existence? The paper at [1] describes the security risk with deleting noncharacter code points. Is this risk still a concern, or can one assume that there are no more applications which delete noncharacter code points? /Roger [1] http://www.unicode.org/reports/tr36/#Deletion_of_Noncharacters
RE: Are there any pre-Unicode 5.2 applications still in existence?
I think you can safely assume that apps exist that are not well behaved. For this type of security problem, I always recommend validating strings after any possible transformations occur. Any sort of conversion could be a problem. Normally I talk about this in a convert from non-Unicode code page to Unicode context, eg: make sure you validate AFTER the conversion, but the concept applies most any time. Unfortunately many apps do strange things. -Shawn -Original Message- From: unicode-bou...@unicode.org [mailto:unicode-bou...@unicode.org] On Behalf Of Costello, Roger L. Sent: Friday, March 8, 2013 7:55 AM To: unicode@unicode.org Subject: Are there any pre-Unicode 5.2 applications still in existence? Hi Folks, I have learned that: In some versions prior to Unicode 5.2, conformance clause C7 allowed the deletion of noncharacter code points [1] Are there still in existence applications which delete noncharacter code points from strings? Are there any pre-Unicode 5.2 applications still in existence? The paper at [1] describes the security risk with deleting noncharacter code points. Is this risk still a concern, or can one assume that there are no more applications which delete noncharacter code points? /Roger [1] http://www.unicode.org/reports/tr36/#Deletion_of_Noncharacters
Re: Are there any pre-Unicode 5.2 applications still in existence?
On Fri, 8 Mar 2013 15:54:57 + Costello, Roger L. coste...@mitre.org wrote: Are there any pre-Unicode 5.2 applications still in existence? Strange question! Unicode 5.2 was released in 2009. Consequently, on the Ubuntu release I'm running all characters new in Unicode 5.2 are compared equal (and that nearly bit me - fortunately, the C locale was good enough for my purpose.). The MS Office I have at home on my Windows 7 machine is Office XP (i.e. 2002), and at work we use MS Office 2007 on Windows XP. I supposed it's possible that these versions have been upgraded to a more recent version of Unicode, but I suspect it's unlikely. Richard.
