[rescue] UTF-8 [was T5220 update]
Phil Stracchino
phils at caerllewys.net
Fri Nov 3 12:21:30 CDT 2017
On 11/03/17 13:15, Phil Stracchino wrote:
> On 11/03/17 12:55, Mouse wrote:
>> But Thomson's draft seems to be talking (almost?) entirely about
>> network protocols, and in that context I think it's right. I'm more on
>> the fence about its applicability to other interfaces, such as stdin
>> and stdout of tools.
>
> I am totally in agreement with regard to network protocols, security
> handshakes and the like: Indeed, fail fast and hard. Get it right, or
> go home.
In fact a good practical example just occurred to me.
In MySQL 5.5.13 and earlier, there was a step in the MySQL
authentication handshake which mysqld would allow you to get away with
performing incorrectly, provided it was exactly the "right" incorrect.
Predictably, at least one client implementation (Microsoft ODBC of the
version used in .NET 3.5) performed that single step of the handshake in
exactly the right incorrect manner.
I'm not sure whether the error was actually exploitable, though I would
assume it was with sufficient ingenuity. Oracle fixed it in MySQL
5.5.14. Of course, this meant that no application or service relying on
.NET 3.5 or its version of MS ODBC could connect to MySQL 5.5.14 or later...
"Get it right, or go home."
--
Phil Stracchino
Babylon Communications
phils at caerllewys.net
phil at co.ordinate.org
Landline: +1.603.293.8485
Mobile: +1.603.998.6958
More information about the rescue
mailing list