Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124899 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 2F74A1A00B7 for ; Mon, 12 Aug 2024 17:34:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1723484191; bh=mhWyG7S5RrEUfFodT/QZGMJwI4bjSgSPvR7fg1k1kKs=; h=Date:Subject:To:References:From:In-Reply-To:From; b=Y3NH3GZScFeUq1YTLoVMSI7Y6MhamQ2Nl/n6FP9v2VeBZ82HDRT5ohR7ZqFY0RhBx XShVHT/GFebaCuBAoiNuF/8vDZLd7KQy0rF+uUzwQF+EVYAuXOSKHrp04ZS/V8kO/9 cMfwoUPcmAjQzJvvLMxvnambgUbUdtJYkt3cjiITAvPfXXtHPNlnfyrMxvEOrAQNlm 8rRoVkggnSie/jGM+Y5ngMlEcGO/zAdJs2hfg3E3bNxywPgBLZ+qewM6ps0cnM6YyQ Iy8smBk/gnt4JHTeE2rcFJh98CFwD3OjK1dNyalFnDci8rT7g0GraWeNHDq6kTx59S mWO+FKgUFENsg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 4D109180071 for ; Mon, 12 Aug 2024 17:36:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 12 Aug 2024 17:36:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1723484081; x=1724088881; i=cmbecker69@gmx.de; bh=7EESZ5Z7jHafIOBAnOHgV7UPJ6Zp04TmbRWVqE+xSeM=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:To: References:From:In-Reply-To:Content-Type: Content-Transfer-Encoding:cc:content-transfer-encoding: content-type:date:from:message-id:mime-version:reply-to:subject: to; b=Vgsd7lXrA9YwoRKTmGJWe65Mji+k/TWYchCifydfUTi6P9BpCY1Dok4Ioh0k979p g2VjXbK6Le9wXbKZgs6SnnKkOuiWRS7NXAeKsYxrmDrZ/eGxXy0i1QWVB/Q1ZDx9l YTUE6xtvF63UhLxbMwkacR3rFGvI5Q6a1NXtD/YlfpMfRtxztHiQDuE6xuuAMsJfH P9dRa1CEpyAIH321ZtOjpLtD0pCo1eCnFmW0FV43n+FbTCliU4MKzds5IjcYfxxXY OwCCTji21bZsdl60LauSsj9edJYef1LHVK/wlLAIM04cYJWgaPsNbf1KF9d5dPc2B fJsLvrpMqjmWP0LJ0A== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.2.130] ([79.251.205.37]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MVvPD-1snhIK1udR-00QxTi; Mon, 12 Aug 2024 19:34:41 +0200 Message-ID: Date: Mon, 12 Aug 2024 19:34:40 +0200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV][Discussion] Should All String Functions BecomeMulti-Byte Safe? To: Nick Lockheart , internals@lists.php.net References: <9bce8dd60b23486ec34caa0174d844096eed26af.camel@ageofdream.com> Content-Language: de-DE In-Reply-To: <9bce8dd60b23486ec34caa0174d844096eed26af.camel@ageofdream.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:JzSEESs7dwBsdABUZDOK8SBfxtnu85aUjrw7Hv8SmChzqtXt6sj XXH68550xTabT3ZX9FoU4Kis6jA1JpMie7shNEhS3h1cZVrMUkX/nsTIZM726xh4FxLXaG1 y15eAGRE/VOUJxlfjbmeydRB+6kcwb34BKknxdN4/LjUp/gYF516yrcdllYJSQNdCtoMN9l 3EwvMutE6VC+vzNGHHeZA== UI-OutboundReport: notjunk:1;M01:P0:AvIW/LOlEBY=;cChcmAWW4bOGe39NxH8CTtc+MLk eXn5HyF1fylK3xHF5Zx/MYlzpQ8e6qITvrYdeM48o74j60cOu8bKgT0I2pw7DKa5L5N7TFESo /Ccs7JKMw1mqIQdz6WJL8V8auVbUfIF9AYnRh8X7lj83TU+6KSTBONcmdkQU+BQ2tzjB54GLz hClIODe7k2Fcv7ZHpcFAaks8GWcx22hYNq5lQCEy3FDmOpx81POsQfbhtTqxpE9rfd7Si9tuD p+s8FjRoswAbwKU0rVjqNu6B5l0Q+tJ4ss2RxCMk6zsQrBrQ5Pyr8q3Chv5DFtyJBvz92iKel Hw6xHVvpoGKW1H+SpXCRt6oSOzaY+DyQdd2+Ouln9uGBQs8hSti0hjnoa9cx23Q+chs7oUWWk MenX2jzofsZ4Yq4OxcKln1e/+pdh0IZsscD/LMKfJ2DODe6IO0ClN0bP35j7n1z3kgzIQrf1Z mPJk4SD764e/AaVX8dr4LbwKzpd9rVf7zilSbr7psetYnQg6b1XOwLmHUCm9zqVzgUDdiJH4u eTER2Azb57QEPojCLtkF+F2v0yFgKwEzWdxSVqw0H5rhLn0SELK5Qekzb63KlcE9tR1g9LCXR qZbLlPhbsd1fASGYLuMycVPoZGass5EMMrfBZmBpb1t/M9C6QsOC9e+UiSPAPTtL8EwtYxnCV X9ub2RSazcpy3zAchzOWzHE7eSWl8Db9Lek6wQSClde1m0UY9RwWVjD8W+yuai2c8ncRiF8sk scBBNyknwxIxH/g5Rmm1XqcMuEFNUSvvrqbbAcMTl8j2Oui5iiCXdzoILu8HZAw8Sl3B/I919 zx7n6ZbjWZ0bbNo/7wG7MbBddguxJ9BGWGeK/TJS7ahXQ= From: cmbecker69@gmx.de ("Christoph M. Becker") On 12.08.2024 at 19:15, Nick Lockheart wrote: > One report is: https://www.unicode.org/reports/tr36 > > There's several things in their guide. > > They recommend that illegal byte sequences not be deleted as this can > create an attack vector where two bytes that fit together are split by > an illegal sequence, that, once removed, puts the two bytes back > together to make something new, *after* the program has checked for > dangerous characters: > > https://www.unicode.org/reports/tr36/#SecureEncodingConversion > > > In PHP, you should be able to do that with: > > $ScrubbedBody =3D mb_scrub($_POST['body'], 'UTF-8'); I suggest to *validate*, not to *sanitize*. If a malicious user submits illegal UTF-8, just reject the request right away. Regular users shouldn't even notice this. Christoph