[Mono-dev] [PATCH] MS/Mono incompatibility in System.Web.HttpRequest
Chris Toshok
toshok at ximian.com
Mon Mar 20 15:41:47 EST 2006
On Fri, 2006-03-17 at 19:58 -0500, Gonzalo Paniagua Javier wrote:
> On Fri, 2006-03-10 at 09:53 -0500, Chris Toshok wrote:
> > I just read in the Shackow's asp.net 2.0 security book about this,
> > actually. He says that the three sequences that result in rejecting a
> > string are:
> >
> > 1. a < followed by a !
> > 2. a < followed by the letters a-z (upper or lowercase)
> > 3. a & followed by a #
> >
> > Did your testing reveal that 3 wasn't used? I was planning to commit a
> > change that does the above 3 checks today.
>
> Btw, you also have to check for those unicode characters which
> correspond to a '<' and '>'.
I added the unicode character for '<', but didn't put checks in for
either '>' or its corresponding unicode. Are those really an issue?
Chris
More information about the Mono-devel-list
mailing list