peak at argo
Jul 20, 2002, 9:40 AM
Post #4 of 4
On 19 Jul 2002, Michel Arboi wrote:
> [OK, that was a very old message :-]
> Pavel Kankovsky <peak [at] argo> writes:
> > On 21 Feb 2002, Michel Arboi wrote:
> > > It seems that we could also send plain UTF-16. If I understand all
> > > this correctly, this would just mean inserting a %00 before every
> > > ASCII character and IIS will happily strip it.
> > > "GET /%00%41%00%42%00%43/ "
> > Checked this against (unpatched) IIS 5.0. Anything after the first %00
> > is be ignored.
> I was wondering... Shouldn't we remove this buggy "evasion tactics"?
*shrug* Apparently, IIS is the first candidate when such a "creative"
interpretation of URLs is considered but it does not work with IIS. On the
other hand, I am certain engineers of Redmond as well as their buddies all
over the world are working hard to make their webserver even smarter than
they are today and some implementation interpreting UTF-16 might appear
I myself would probably remove the option from GUI (or mark it as "not
known to work with existing HTTP servers") but would keep the code.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."