ietf-nntp draft-ietf-nntpext-base-17

Charles Lindsey chl at clw.cs.man.ac.uk
Tue Mar 25 06:45:46 PST 2003 

In <20030324124116.GX45272 at finch-staff-1.thus.net> "Clive D.W. Feather" <clive at demon.net> writes:

>>> Are you saying that, if I receive 0xC1 0x96, I MUST NOT convert it to 0x56?
>> From RFC 2279bis:
>>    Implementations of the decoding algorithm above MUST protect against
>>    decoding invalid sequences.  For instance, a naive implementation may
>>    decode the overlong UTF-8 sequence C0 80 into the character U+0000,
>>    or the surrogate pair ED A1 8C ED BE B4 into U+233B4. Decoding
>>    invalid sequences may have security consequences or cause other
>>    problems.  See Security Considerations (Section 10) below.

>It says "protect against". I see nothing in 2279bis that forbids such
>decoding, but section 10 requires you to be careful.

In my view, "protect against" means "make sure it never happens".

>I've added:

>  In the first case, the implementation MUST ensure that any replacement
>  cannot be used to bypass validity or security checks.  For example,
>  the illegal sequence %xC0.A0 is an over-long encoding for US-ASCII
>  space (%x20).  If it is replaced by the latter in a command line,
>  this needs to happen before the command line is parsed into individual
>  arguments.  If the replacement came after parsing, it would be
>  possible to generate an argument with an embedded space, which is
>  forbidden.  Use of the "replacement character" does not have this
>  problem, since it is permitted wherever non-US-ASCII characters are.

I think it would be better to stay silent on the matter. Just remove the
existing sentence.

Or you could ask Yergeau what he intended it to mean.

>> RFC 2279 said the same, and I wrote a similar wording into Usefor. There
>> are also serious suggestions that if you see something that is not valid
>> UTF-8 you MAY try to treat it as whatever Chinese charset you think it
>> might be

>Not in *my* specification.

It has been extensively discussed on the Usefor list, mainly I think as an
interim measure that might allow the Chinese to migrate to UTF-8 in an
orderly manner (otherwise they would need a flag day). And always
supposing that UTF-8 happens, of course.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clw.cs.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

More information about the ietf-nntp mailing list