XH 1.5.10: Extend checking input for valid UTF-8

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

XH 1.5.10: Extend checking input for valid UTF-8

Post by cmb » Tue Feb 04, 2014 6:02 pm

Hello Community,

in CMSimple_XH 1.5.4 a check for valid user input for all the values of GET and POST parameters was introduced as additional security and stability measure. Otherwise an attacker might fool various routines by using unexpected non UTF-8 byte sequences. In CMSimple_XH 1.6 this check was extended to all SERVER variable values as well as the GET and POST keys. I suggest that we add this additional security measure for XH 1.5.10.

However, I'm not yet sure about the negative performance impact. It seems the current implementation takes quite some time, and should be improved. I'll open another thread regarding this issue.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: XH 1.5.10: Extend checking input for valid UTF-8

Post by cmb » Tue Apr 15, 2014 10:10 pm

Oops--I'd totally forgotten to put this issue on the roadmap. As it seems, it might be better to leave that as is--at least the issue had to be investigated more thouroughly, see http://cmsimpleforum.com/viewtopic.php?f=10&t=7182.
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply