exon wrote:
> Peter Conrad wrote:
>
>> Hi,
>>
>> On Thu, Apr 20, 2006 at 10:22:18PM -0400, Rossen Raykov wrote:
>>
>>> Is that ?simplest form? achievable? One can perform many and
>>> different encodings making the task of decoding them very difficult
>>> and resource consuming. Usually it is cheaper and safeties to do
>>> semantic checkup and treat the input as erroneous if it does not
>>> confirm to the expected input format.
>>
>>
>>
>> you're comparing apples with oranges here. You must perform
>> canonicalization
>> *before* you can match the input against the expected format.
>>
>>
>>> For example if you are expecting number anything different than a
>>> number is error.
>>
>>
>>
>> Here are some different representations of the same number:
>>
>> 11
>> +11
>> 11.0
>> 11.00
>> 011
>>
>
>
> This is just stupid. If the user is supposed to input an unsigned
> numeric integer it's just dumb to accept dots, plusses, commas and any
> other char than what fits in 0-9. Leading zeros can be stripped,
> although if the application itself never adds them you shouldn't allow
> that either. Even if you accept negative numbers or floating point
> numbers there's still a very limited range of characters to accept.
Alright then with 11.00 you strip the "." and are left with 1100. But
that is clearly not what the user intended. They intended 11. You need
to canonicalize to a normalized form before you can then reject for
innapproptiate values.
-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Apr 23 2006
Intro
