On 23/04/2012 19:17, Kevin Chadwick wrote:
On Sun, 22 Apr 2012 07:26:19 -0400
Anthony G. Basile wrote:
3) I agree that hardened should be mostly off by default. Eg. ipv6 is
off by default. But as pressure mounts the switch to on by default may
have to occur as it has now with unicode and will happen some day with ipv6.
Good stuff.
There was a nasty input sanitisation avoiding bug in PHP that only
affected linux boxes with unicode enabled terminals. Maybe these bug
types have something to do with it.
I'd be in two minds, personally I can't remember using unicode on a
terminal and you could use base64 as a workaround. Many many will use it
though, so the default should be enabled.
Equally I would be thinking that we can find some bugs due to unicode
being off? Whether they would cause "security" failures is another matter.
It's probably on the tipping point that ipv6/unicode needs decent testing
Ed W
