Potential security issue: Yahoo authorisation requests with invalid encoding
Mark Doliner
mark at kingant.net
Sun Jan 19 14:38:24 EST 2014
I just checked in and pushed a fix for this. I added calls to
g_utf8_validate everywhere.
I was hesitant to centralize the validation because I made the change
in our private repo, which means basically no one will be able to test
it until after it's released. It's dangerous to make high-impact
changes like that with little testing. Adding calls to g_utf8_validate
should keep the behavior the same as before, with the exception that
things won't crash if a string is non-UTF-8.
I'm planning to release this fix in 2.10.8 sometime in the next two weeks.
And we can clean it up in main.
More information about the security
mailing list