> A very clear explanation of the acceptance issues. > > Like every place I've seen charsets raise their heads, this > looks like a lose-lose situation. > > We can be tolerant of anything, and know, for sure, that we > will be laying groundwork for security incidents down the > road, where people exploit varying interpretations of > non-ASCII chars combined with over-powerful client software > to break in to someone's computers. > > We can seriously try and secure our future, and suspect, if > we correctly understand the real needs of some users from > other cultures, that they might find our solution unusable. > > Perhaps we should include a Security Considerations section, > remarking that differing interpretation of charsets has been > and will continue to be a source of security problems, so > individual implementations are encouraged to validate the MSG > section to the best of their ability in the face of local > charset demands; e.g. a traditional Unix site using plain > ASCII on all their systems may wish to use a SELP server that > is configured to escape any bytes found in the MSG section > that are not valid printable US-ASCII. > > That sound like a sensible compromise? In fact, IMHO, this is a perfect one :-) Rainer _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 12:41:13 PST