
Злопастные строки.pptx
- Количество слайдов: 9
Злопастные строки ‟ Дмитрий Титаренко СКБ Контур Картинка для привлечения внимания
Code review private static string Find(this string src, string val) { var idx = src. Index. Of(val, String. Comparison. Invariant. Culture. Ignore. Case); return idx >= 0 ? src. Substring(idx, val. Length) : null; }
Starts. With, Ends. With, Index. Of Caution Because strings with very different binary representations can compare as identical, this function can raise certain security concerns. int Find. NLSString. Ex( _In_opt_ LPCWSTR lp. Locale. Name, _In_ DWORD dw. Find. NLSString. Flags, _In_ LPCWSTR lp. String. Source, _In_ int cch. Source, _In_ LPCWSTR lp. String. Value, _In_ int cch. Value, _Out_opt_ LPINT pcch. Found, // … length of the string that the function finds … );
Unsafe, PInvoke private static unsafe string Mask(this string src, int offset, int count) { fixed(char* pchr = src) { for(int i = 0; i < count; i++) pchr[i + offset] = ' • '; } return src; }
old What’s New in the BCL. NET 4. 0 CTP String Security Changes “The default partial matching overloads on System. String (Starts. With, Ends. With, Index. Of, and Last. Index. Of) have been changed to be culture -agnostic (ordinal) by default. ” “UPDATE for. NET 4 Beta 1 In order to maintain high compatibility between. NET 4 and previous releases, we have decided to revert this change. ”
Code review #2 public static void Write. To. Stream<T>(Stream stream, T obj, Encoding encoding = null) { var bytes = (encoding ? ? Encoding. UTF 8). Get. Bytes(Json. Convert. Serialize. Object(obj)); stream. Write(bytes, 0 , bytes. Length); } public static void Http. Get. Data(Http. Listener. Context context) { context. Response. Content. Type = "application/json; windows-1251"; var user = Read. Saved. Data(context. Request["id"]); Write. To. Stream(context. Response. Output. Stream, user, Encoding. Get. Encoding(1251)); }
Double quotes? " « » “ ” „ ‟ 〝 〞 〟 " U+0022 QUOTATION MARK " U+00 AB LEFT-POINTING DOUBLE ANGLE QUOTATION MARK « U+00 BB RIGHT-POINTING DOUBLE ANGLE QUOTATION MARK » U+201 C LEFT DOUBLE QUOTATION MARK “ U+201 D RIGHT DOUBLE QUOTATION MARK ” U+201 E DOUBLE LOW-9 QUOTATION MARK „ U+201 F DOUBLE HIGH-REVERSED-9 QUOTATION MARK ‟ U+301 D REVERSED DOUBLE PRIME QUOTATION MARK 〝 U+301 E DOUBLE PRIME QUOTATION MARK 〞 U+301 F LOW DOUBLE PRIME QUOTATION MARK 〟 U+FF 02 FULLWIDTH QUOTATION MARK "
Chars transformation private static void Main(string[] args) { var user = new User {name = "u. FF 02, u. FF 02 adminu. FF 02: true, u. FF 02 Xu. FF 02: u. FF 02"}; var str = Json. Convert. Serialize. Object(user); Console. Write. Line(str); Console. Write. Line($"UTF 8: {Bit. Converter. To. String(Encoding. UTF 8. Get. Bytes(str))}"); Console. Write. Line($"1251: {Bit. Converter. To. String(Encoding. Get. Encoding(1251). Get. Bytes(str))}"); Console. Write. Line($"CHAR: {string. Join(" ", str. To. Char. Array())}"); }
Questions Encodings and character transformations Best Practices for Using Strings in the. NET Framework http: //websec. github. io/unicode-security-guide/character-transformations/ https: //msdn. microsoft. com/dd 465121 Security Considerations: International Features W https: //msdn. microsoft. com/dd 374047 UTF
Злопастные строки.pptx