From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Mike Gerwitz Newsgroups: gmane.emacs.devel Subject: Re: Emacs Lisp's future Date: Thu, 9 Oct 2014 00:49:17 -0400 Message-ID: <20141009044917.GA19957@fencepost.gnu.org> References: <87d2ahm3nw.fsf@fencepost.gnu.org> <871tqneyvl.fsf@netris.org> <87zjd9swfj.fsf@uwakimon.sk.tsukuba.ac.jp> <87oatnqpml.fsf@uwakimon.sk.tsukuba.ac.jp> <874mvdrj45.fsf@uwakimon.sk.tsukuba.ac.jp> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND" X-Trace: ger.gmane.org 1412830199 6650 80.91.229.3 (9 Oct 2014 04:49:59 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 9 Oct 2014 04:49:59 +0000 (UTC) Cc: dak@gnu.org, rms@gnu.org, mhw@netris.org, dmantipov@yandex.ru, emacs-devel@gnu.org, handa@gnu.org, monnier@iro.umontreal.ca, eliz@gnu.org To: "Stephen J. Turnbull" Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Oct 09 06:49:54 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Xc5fk-00086W-Ir for ged-emacs-devel@m.gmane.org; Thu, 09 Oct 2014 06:49:52 +0200 Original-Received: from localhost ([::1]:40307 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xc5fk-00013B-4M for ged-emacs-devel@m.gmane.org; Thu, 09 Oct 2014 00:49:52 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:54921) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xc5fU-00012E-LC for emacs-devel@gnu.org; Thu, 09 Oct 2014 00:49:40 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xc5fQ-0003nd-QX for emacs-devel@gnu.org; Thu, 09 Oct 2014 00:49:36 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58963) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xc5fQ-0003nT-MN for emacs-devel@gnu.org; Thu, 09 Oct 2014 00:49:32 -0400 Original-Received: from [108.17.9.168] (port=37526 helo=fencepost.gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1Xc5fG-0003op-9k; Thu, 09 Oct 2014 00:49:22 -0400 Mail-Followup-To: "Stephen J. Turnbull" , rms@gnu.org, dak@gnu.org, mhw@netris.org, dmantipov@yandex.ru, emacs-devel@gnu.org, handa@gnu.org, monnier@iro.umontreal.ca, eliz@gnu.org Content-Disposition: inline In-Reply-To: <874mvdrj45.fsf@uwakimon.sk.tsukuba.ac.jp> X-URL: http://mikegerwitz.com User-Agent: Mutt/1.5.21 (2010-09-15) X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::e X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:175161 Archived-At: --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 09, 2014 at 12:56:42PM +0900, Stephen J. Turnbull wrote: > Richard Stallman writes: >=20 > > If you demonstrate that this claim is valid, I will be concerned. >=20 > *sigh* Be unconcerned. The world is a *lot* more hostile today than > it was in the days when you posted your passwords on the 'net. Agreed. Character encoding attacks are also something that has been exploited "in the wild". Some examples include: - UTF-7 character encoding to bypass filters[0] (e.g. for XSS); - IIS WebDAV validation exploit (CVE-2009-1535);[1] and - CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic;[2] and - Google's XSS vulnerability, related to the first item in this list.[3] Note that not all of the above may be applicable to the specifics of this discussion---the point is to convey, generally, that character encoding poses serious threats when improperly handled. Though this discussion seems to be about what is "improper". See "Secure Programming for Linux [sic] and Unix HOWTO".[4] The Unicode Consortium also has a security report[5] that mentions, among other import concepts, deletion of code points and handling of "illegal" input byte sequences. With regards to passing raw input to other systems: this isn't necessarily Unicode related (unless an invalid sequence contains a null byte), but serves to illustrate the point that Mark is trying to make: there is a well-known issue in PHP whereby passing a null byte as a parameter to a script (e.g. via HTTP GET/POST) opens up a number of attacks. Specifically, PHP handles null bytes in strings (by storing the string length as part of the struct that holds the string). However, it makes calls directly to libc. So, if an unvalidated input $foo contains "../../../../etc/group\000", and PHP makes a call to `fopen' with the path "/webroot/modules/$foo/index.php", the result would be opening "/webroot/modules/../../../../etc/group". I have the most experience developing web applications, where character encoding exploits are common.[6] > So there you are. That's the best I can do. I can dig up more examples, but hopefully some of these help to illustrate the severity of ignoring character encoding concerns. * * * Aside: For those who don't know what XSS is: the issue is that, if input =66rom the user is not properly validated/filtered, and is at some point output back to a user, that output could be interpreted as HTML, JavaScript, CSS, etc. So if XSS filters are bypassed using the aforementioned methods, perhaps the user will output `', which might change a login form, say, to post user credentials to a remote website. [0]: http://en.wikipedia.org/wiki/UTF-7#Security [1]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2009-1535 [2]: https://capec.mitre.org/data/definitions/80.html [3]: http://shiflett.org/blog/2005/dec/googles-xss-vulnerability [4]: http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/character-encoding.html [5]: http://www.unicode.org/reports/tr36/ [6]: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet --=20 Mike Gerwitz Free Software Hacker | GNU Maintainer http://mikegerwitz.com FSF Member #5804 | GPG Key ID: 0x8EE30EAB --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJUNhPMAAoJEPIruBWO4w6rVDYP/AhwK9NXg15KgW6kEKGK07GK wxzM7CmxjYPRsp2R1MtMb5397FTDgI5P/RNqWgZxb9N7G6SFdmqtVZo1DVLdl3ok p7ehk3nLrdB6W8V0F8mpPzf/Bs5p9BIbxK+WHrGt3Ig5ANxRhMiB50HpbjSXtoPo KO82KRNzOZLdS5Hy/toNeq+lYnsC4eQrRRJOfCbmnH1cg8NX1wXgml1+aZ5Yb46t w7gLYI/eIN2I3aem/0WrtM2Ihp90ebdFWNfXE3eaAgAH468LBQgAa72YgQnymFg4 Hwy/V0joJ0dIF2W03f1aibEHBBofygwTbEnz9tK3mRpTe0VXs5JI5UUX6+2YgeyE u6VqQ9qjkdGn/LHi5ZFQ8+kZfzWxEvkScXqg+m6kfwFCqPfxVWbpvrKRkfXcWpwD hfMFeMtzqUsHKGhhNyO6YPVCPLI78qyn3NoCdeWalDP8I51vmmPbc5BuJnqdRC9a +BtEdtjkReaEc5rDdfhCRj4KFu1UGWbP+tVdN2vtUcSnHISnvHnDR6qiAmBc8S1B QVLN2M+JY0fvUFURbVuW9kkHz4U3JCSjex4rD+vwLREvyvFTzGJvL7k7DDNXn21x z7ApfSNhrjHXn5FeEHWDDDC6jO+ZITOvQzFvkm9dUxuqM4aM4twd2KWehxLIqNZK jWO+P+lGHkPAKF02Hn7m =K9AL -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND--