Potential security issue: Yahoo authorisation requests with invalid encoding

Sulabh Mahajan sulabh.dev at gmail.com
Mon Dec 31 14:41:20 EST 2012

> > Rather than validating strings in the action functions, we should pass
> all
> > the packets through a helper function, which will make sure that the
> strings
> > are UTF-8. Later on we can get rid of then redundant checks in the action
> > functions.
> I think this is a great idea as long as it's possible.  Are values
> always strings, or are they sometimes binary?  Are all strings encoded
> the same way?  It looks like they aren't, since some functions call
> yahoo_string_decode() with utf8=FALSE and others with utf8=TRUE.

All values are not strings. But as far as my knowledge of the protocol
goes, the keys whose values are strings are fixed and known.
For example keys 0, 1, 3, 4, 5 correspond to user-ids, and hence are always
strings, whereas keys 11, 13, 241 are numbers / flags.
I have compiled a list of keys whose values are supposed to be strings and
treated with yahoo_string_decode.
We always use yahoo_string_decode() with utf8=FALSE, until and unless the
packet has key 49 with value 1, which says that they strings are supposed
to be utf 8.

I can put the above logic in a helper function, and call for each packet
before passing for processing. Does that sound reasonable ?

I will do so in a local work-space, and let you know once done. Then we can
push it to the desired repository.

Sulabh Mahajan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130101/e8af9418/attachment.html>

More information about the security mailing list