Re: [logs] Charset selection (Was: Re: EventLog library)

From: Bennett Todd (betat_private)
Date: Thu Jan 09 2003 - 11:46:59 PST

  • Next message: Rainer Gerhards: "RE: [logs] Charset selection (Was: Re: EventLog library)"

    A very clear explanation of the acceptance issues.
    
    Like every place I've seen charsets raise their heads, this looks
    like a lose-lose situation.
    
    We can be tolerant of anything, and know, for sure, that we will be
    laying groundwork for security incidents down the road, where people
    exploit varying interpretations of non-ASCII chars combined with
    over-powerful client software to break in to someone's computers.
    
    We can seriously try and secure our future, and suspect, if we
    correctly understand the real needs of some users from other
    cultures, that they might find our solution unusable.
    
    Perhaps we should include a Security Considerations section,
    remarking that differing interpretation of charsets has been and
    will continue to be a source of security problems, so individual
    implementations are encouraged to validate the MSG section to the
    best of their ability in the face of local charset demands; e.g. a
    traditional Unix site using plain ASCII on all their systems may
    wish to use a SELP server that is configured to escape any bytes
    found in the MSG section that are not valid printable US-ASCII.
    
    That sound like a sensible compromise?
    
    -Bennett
    
    
    

    _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis



    This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 12:36:05 PST