[OWASP-FILTERS] Re: [Owasp-input-api-developers] filters/java

Alex Russell alex at netWindows.org
Wed Oct 30 16:04:06 EST 2002


On Wednesday 30 October 2002 03:28, Ingo Struck wrote:
> Hi...
>
> > have a look through the archives and try to find the "vision document".
>
> Hm... I couldnt locate it. :o(

see attached DocBook document.

> But I saw the idmef thing together with some other code...
> What`s that? For me it seems to be a different way to describe
> vulnerabilities, so is it a second VulnXML draft?
> Please tell me some words about status/purpose.

this is water under the bridge. Please read the archives for details.

> > canonicalization. 
>
> Wew, I think this is really a tricky / huge problem.
> As you surely know, nearly all charset de/encoding mechanisms are not
> trivial. If you really try to canonicalize everything before filtering, I
> bet that the only attack an attacker has to try out is a simple
> overloading.

that's why we force a charset. All Unicode compliant converters will use 
"shortest encoding" semantics, and so we shouldn't have to worry about 
this.

> As I already stated, on the protocol / db layer (which should considered
> to be the most sensitive one) you can assume at least everything to be
> eight-bit, if not seven (ascii) or even six bit (base64).
> Thus, the simple canonicalization on that layer would consist of bit
> masking.
>
> The filters on other stages may well need a full-fledged charset
> canonicalization, but it should only happen comparitively seldom that a
> user has to provide charset-dependent input (e.g. i18n names / search
> patterns or the like).

we'll worry about efficiency once we have correctness. Premature 
optimization is the root of all evil.


-- 
Alex Russell
alex at SecurePipe.com
alex at netWindows.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VisionDocumentFilters_1.0.2.xml
Type: text/xml
Size: 12098 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-filters/attachments/20021030/dd6f9d86/attachment.xml 


More information about the Owasp-filters mailing list