Code Review Request, JDK-8146600 AVA Normalizer.Form issue
Wang Weijun
weijun.wang at oracle.com
Mon Sep 19 15:03:33 UTC 2016
After some thinking, my current opinion is.
1. Maybe NFC is better than NFKD, but I am not a Unicode expert.
2. I think the real bug is the order of escaping and normalization. The normalization (if a must) should be performed earlier right after valStr is created and only performed on valStr. Otherwise the NFKD normalization would generate new chars that need to be escaped. Again I am not a Unicode expert and I don't know if NFC will also do the same.
If 2) is fixed, whatever is correct in 1) does not matter much.
Thanks
Max
> On Sep 19, 2016, at 10:32 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>
>> 4. Is it possible to perform normalization before escaping special characters?
>>
> Yes. I though about this case. The current fix comes from the fact that UTF-8 "Hello, world!" and "Hello, world!" should be different. Parsing them as the same thing may result in unexpected serious issues.
More information about the security-dev
mailing list