Re: [Chicken-hackers] CHICKEN in production

[John Cowan]

Florian Zumbiehl scripsit:

> > I am frankly sick of tools bending over backwards to support NUL.
> 
> I am frankly sick of people making up their own variants of standards,
> creating all kinds of interoperability and security problems, and even more
> of environments that make it unnecessarily difficult to implement
> conforming implementations.

Profiling a standard is hardly making up your own variant of it.
The Unicode Standard does not in fact require for conformance that a
system be able to process every character in it, and it is  in fact quite
unusual for a system to be able to handle every character end to end.

> some creative person submits a JSON document with NULs to your frontend
> system, which validates it, passes it to your JSON-but-without-NULs
> parser, and voilà, you have a DoS, congrats!

Where does the DoS come in?  Your back end quite legitimately rejects
such a bogus document, which is far better than having it accept it with
a truncated string.  It's not, after all, a DoS to deny service to a
malicious actor.

-- 
John Cowan          http://www.ccil.org/~cowan        address@hidden
We do, doodley do, doodley do, doodley do,
What we must, muddily must, muddily must, muddily must;
Muddily do, muddily do, muddily do, muddily do,
Until we bust, bodily bust, bodily bust, bodily bust.  --Bokonon