Subject: CAcert Code Development list.
List archive
[CAcert-Devel] Revision of name / email tests in cacert/www/gpg.php line 99 and following
Chronological Thread
- From: Thomas Kühne <thomas AT kuehne.cn>
- To: cacert-devel AT lists.cacert.org
- Subject: [CAcert-Devel] Revision of name / email tests in cacert/www/gpg.php line 99 and following
- Date: Fri, 17 Dec 2004 02:59:42 +0100
- List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-devel>
- List-id: "CAcert Code Development list." <cacert-devel.lists.cacert.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Some ideas on the name combination test in cacert/www/gpg.php (line 99):
Sanitize user input ($name):
1] Leading and trailing white spaces should be removed before any check.
2] Any occurrence of more than one white space should be condensed to
exactly one space.
Internationalize name combination checks:
3] "lname fname" is the standard combination for Chinese names.
Internationalize email domain checks:
4] Every domain name data should be converted to IDN(->PunyCode/RFC3492)
before comparison.
5] The comparison of the domain name has to be case-insensitive.
Error messages:
6] How about displaying a sample list of valid name combinations?
The last idea might have some security implications:
7] A lot of software can't properly handle non-ASCII names. As a consequence
a lot of names get mangled. e.g. u-umlaut ("\u00FC") is replaced by
ue ("\u0075\u0065") to please legacy software systems.
It would be nice to treat those cases or at least report this problem to the
user if any of the used name data contains non-ASCII ("\u0080" and above)
data.
Thomas Kühne
-----BEGIN PGP SIGNATURE-----
iD8DBQFBwj2T3w+/yD4P9tIRAkMbAJ9QY4stHg4qZmXaaHz6zoL/jPsuowCgp5L6
ms8nE7D59oyZo80lQqNR54Q=
=C+sw
-----END PGP SIGNATURE-----
- [CAcert-Devel] Revision of name / email tests in cacert/www/gpg.php line 99 and following, Thomas Kühne, 12/17/2004
Archive powered by MHonArc 2.6.16.