| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 May 2007 15:28:27 -0400 From: "Brian Eaton" <eaton.lists@...il.com> To: ascii <ascii@...amail.com> Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>, Web Security <websecurity@...appsec.org> Subject: Re: noise about full-width encoding bypass? On 5/21/07, ascii <ascii@...amail.com> wrote: > Brian Eaton wrote: > > To summarize what I've heard from various sources: I am missing > > something important. =) Both PHP and ASP.NET will decode these > > characters into their ASCII equivalents. > > (AFAIK) > > Only ASP.NET/IIS decodes that automatically. > > PHP *can* do that as like JSP and probably others but that has > to happen explicitly in the application code or on an other layer. (Cracking up that somebody going by the handle ascii is commenting on character encoding issues. =) Given how few application platforms decode full-width unicode to ASCII equivalents, is there a case to be made that those application platforms that do decide this conversion is a good idea are broken? Put another way: should this be considered a bug in ASP.NET? Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists