Potential security issue: Yahoo authorisation requests with invalid encoding

Mark Doliner mark at kingant.net
Sun Jan 19 14:38:24 EST 2014

I just checked in and pushed a fix for this. I added calls to
g_utf8_validate everywhere.

I was hesitant to centralize the validation because I made the change
in our private repo, which means basically no one will be able to test
it until after it's released. It's dangerous to make high-impact
changes like that with little testing. Adding calls to g_utf8_validate
should keep the behavior the same as before, with the exception that
things won't crash if a string is non-UTF-8.

I'm planning to release this fix in 2.10.8 sometime in the next two weeks.

And we can clean it up in main.

More information about the security mailing list