From kogakazuo at gmail.com Thu Sep 16 14:40:40 2010 From: kogakazuo at gmail.com (Kazuo Koga) Date: Thu, 16 Sep 2010 23:40:40 +0900 Subject: [trivial-utf-8-devel] UTF-8 overlong form validation Message-ID: Hi, This code should be error: (trivial-utf-8:utf-8-bytes-to-string #(#xe0 #x80 #xaf)) but evaluated to: "/" This behavior could be a security hole. (see http://en.wikipedia.org/wiki/UTF-8) And, I wrote patch to fix this. Regards Kazuo -------------- next part -------------- A non-text attachment was scrubbed... Name: my-patch.txt.gz Type: application/x-gzip Size: 1472 bytes Desc: not available URL: From marijnh at gmail.com Thu Sep 16 18:19:03 2010 From: marijnh at gmail.com (Marijn Haverbeke) Date: Thu, 16 Sep 2010 20:19:03 +0200 Subject: [trivial-utf-8-devel] UTF-8 overlong form validation In-Reply-To: References: Message-ID: Hi Kazuo, Thanks for the bug report. Unfortunately, I only noticed that you had written a patch after I pushed my own patch. Mine is slightly more efficient, so I'll leave it as it is. See http://common-lisp.net/cgi-bin/darcsweb/darcsweb.cgi?r=trivial-utf-8-trivial-utf-8;a=commitdiff;h=20100916175348-ac2de-5b94fcc7a324f681d618cc22fbfd352fb593e151.gz Best, Marijn