Hi Christoph, On Tue, Aug 16, 2016 at 6:01 PM, Christoph M. Becker <cmbecke...@gmx.de> wrote: > On 16.08.2016 at 08:42, Stanislav Malyshev wrote: > >>> Yasuo (who Dan quoted here) refers to completely invalid input, such as >>> invalid UTF-8 byte sequences. I think, that in this case the app should >>> bail out without even given detailed information, as such grossly >>> invalid input most likely is an attempt to attack (or a severe browser bug). >> >> I personally am not a big fan of "bail out without giving information", >> unless that information somehow crosses security boundary (e.g. >> displaying PHP error messages in production) or reveals unnecessary info >> (this part is super-tricky in crypto, but ouside of crypto common sense >> is usually not a bad guide). >> >> <snip> >> >> Now, how much easier your life would be if you app would just report >> "invalid UTF-8 sequence encountered in parameter FirstName" before >> bailing out? How many hours, pulled out hairs and 4am sessions would it >> save? I think it's worth considering. > > I once introduced a check erroring with "Malformed UTF-8 detected" to a > CMS. Until that was changed to "Bad request. Please <a href=".">try > again</a>.", we got a lot of support requests from confused users who > had bookmarked URLs with ISO-8859-* query strings. Even pointing out > which parameter was the culprit, wouldn't have changed that, I presume. > > Of course, it makes sense to *log* very detailed information in this > case (amongst others, the byte sequence that was malformed), but > presenting them to visitors doesn't seem to be helpful – most of these > wouldn't even know what UTF-8 is.
Excellent example of input validation exception! Software has history, therefore certain validation cannot be done automatically. For the record, many security standards/guides require to "Canonicalize" input data _before_ input validation. If anyone would like to validate "String", canonicalize first. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
