On 04 January 2013 15:01 Jookia [mailto:166291@gmail.com] wrote :-
Hello,
Pardon my ignorance, but how would an invalid UTF-8 sequence cause a security threat? All I can think it would do is create garbage.
I don't mean every day security threats, I mean any.
Thanks, Jookia.
I'm not an expert in this field but I believe that invalid utf8 sequences have been used for several well documented attacks - the most common have been to disguise paths / url's to avoid validation routines which would discard these url's automatically - ie a HTTP get request for /../somefile which could (and has for some servers in the past) end up returning somefile which is living outside of the expected directory tree of retrievable documents. http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html Alex