Date: Sat, 31 Jan 2026 22:15:05 -0800
On Saturday, 31 January 2026 22:03:05 Pacific Standard Time Thiago Macieira via
Std-Proposals wrote:
> But I don't agree it suffices. The bigger problem I see is one of security.
> We have had security issues in the past where a NUL was passed and caused a
> string to be terminated short of where the caller expected it to. An
> example was in X.509 certificates issued with CN=bank.com%00.attacker.net:
> the percent- decoder operating in C++ calculated the full length of the
> string and placed a null terminator at the end, then this resulting decode
> was passed to a C API that stopped short.
It was "\x00":
https://github.com/qt/qtbase/blob/dev/tests/auto/network/ssl/qsslcertificate/
more-certificates/badguy-nul-cn.crt
Std-Proposals wrote:
> But I don't agree it suffices. The bigger problem I see is one of security.
> We have had security issues in the past where a NUL was passed and caused a
> string to be terminated short of where the caller expected it to. An
> example was in X.509 certificates issued with CN=bank.com%00.attacker.net:
> the percent- decoder operating in C++ calculated the full length of the
> string and placed a null terminator at the end, then this resulting decode
> was passed to a C API that stopped short.
It was "\x00":
https://github.com/qt/qtbase/blob/dev/tests/auto/network/ssl/qsslcertificate/
more-certificates/badguy-nul-cn.crt
-- Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org Principal Engineer - Intel Data Center - Platform & Sys. Eng.
Received on 2026-02-01 06:15:15