cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [SECURITY NOTICE] libidn with bad UTF8 input

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 02 Jul 2015 12:59:59 -0400

On 7/2/2015 10:51 AM, Daniel Hardman wrote:
> I will post a proposed patch demonstrating validation.

This issue is discussed on github bagder/curl as well [1], you should
check that. I added a branch check_utf8_before_libidn [2] and it has a
new function utf8len that will error if the utf-8 is not well-formed.
That is the more strict way to go, I think. I caution you I just wrote
it, I haven't had time to test it or anyo f the things I normally do.

My impression is the senior authors/maintainers have had a discussion
and already made a decision about this issue to not do anything, and
that's alluded to in the advisory. Based on that I think it's unlikely
any collaborator is going to put a fix in master and it's probably
unlikely any are going to participate in the branch. Still, I think it
would be good we propose some ideas because from what I gather this may
be a 'hey it's libidn' no 'hey it's libiconv' no 'hey it's libcurl' type
thing on who is responsible to check the utf-8. Maybe hey it's all of us.

[1]: https://github.com/bagder/curl/issues/332
[2]:
https://github.com/bagder/curl/compare/check_utf8_before_libidn?expand=1

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-07-02