curl-library
Re: [SECURITY NOTICE] libidn with bad UTF8 input
Date: Tue, 7 Jul 2015 12:33:08 -1000
>
> ETA for pull request: maybe tomorrow evening UTC-1100
>
I have submitted a pull request. However, please note:
1. The pull request is from my private fork to Ray's
check_utf8_before_libidn branch; it doesn't yet target master. This is
because I'd like at least Ray and Daniel's feedback, first.
2. I'm a bit unhappy about the lack of error propagation. Right now, if we
detect invalid utf8 in a hostname, we record the error, but the only
downstream consequence is that we leave non-ascii in ->host, and then allow
DNS to fail. As a result, invalid utf8 manifests with
CURLE_COULDNT_RESOLVE_HOST. Should we return something more specific?
3. Related to Q2: is the unit test adequate? Right now it proves we react
to invalid utf8 in hostname by failing to connect--but that error condition
is so generic that it could be caused by almost anything. Is there a better
way?
4. Please also note my odd tweak to handle the (sometimes) static utf8len()
function. Is this kosher?
--Daniel
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-07-08