http icon indicating copy to clipboard operation
http copied to clipboard

Published 20 hours ago verified publisher icon nette

Security: allow removing characters above U+FFFF in RequestFactory

Open JanTvrdik opened this issue 10 years ago • 3 comments

MySQL's utf8 encoding does not support characters above U+FFFF. Using utf8 encoding and not removing characters above U+FFFF can be used to bypass input validation. You can for example use this to bypass minimum length requirement for thread title on Nette forum. See excellent presentation Hacking with Unicode for more practical examples.

Applications must either use utf8mb4 encoding (which supports full UTF-8) or remove all characters above U+FFFF. I think that Nette should support both approaches.

We should certainly allow removing characters above U+FFFF in RequestFactory and either make it default or change default encoding in Nette\Database to utf8mb4.

Note: utf8mb4 encoding is available since MySQL 5.5.3 (2010-03-24)

JanTvrdik avatar Dec 05 '14 11:12 JanTvrdik

@dg Any thoughts? What would you recommend to people who use Nette?

JanTvrdik avatar Jan 10 '15 12:01 JanTvrdik

utf8mb4 enabled, thx for suggestion https://github.com/nette/database/commit/79886631edf37c27f079814bd2de417cb577c7fe

dg avatar Jan 10 '15 15:01 dg

strict nonstrict note
names utf8, table utf8 error 1366 truncates string for all < 5.5.3 users
names utf8mb4, table utf8 error 1366 replaces with ? for nearly all >= 5.5.3 users
names utf8, table utf8mb4 error 1366 replaces with ???? fixed by https://github.com/nette/database/commit/79886631edf37c27f079814bd2de417cb577c7fe

To remove characters on input is like magic quotes. It sould be solved on Database level, invalid character can be optionally converted to '?'.

dg avatar Jan 10 '15 16:01 dg