[SERVER-10897] User and role names should be canonicalized by the server using Unicode canonicalization form NFC Created: 25/Sep/13  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Andy Schwerin Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-11601 SSL server hostname validation should... Backlog
is related to SERVER-10896 Enforce prohibition of embedded NULLs... Closed
is related to SERVER-10898 Passwords should be canonicalized acc... Closed
Assigned Teams:
Server Security
Participants:

 Description   

Unicode specification, chapter 3. Section 3.11 discusses the canonicalization forms: http://www.unicode.org/versions/Unicode6.2.0/ch03.pdf

In essence, if a sophisticated user looking at two user or role names cannot distinguish them without looking at the sequence of code points used to encode them, applications and drivers will be at risk of producing the wrong byte string based on user input, preventing log-in, or identifying the incorrect user or role.



 Comments   
Comment by Andreas Nilsson [ 06/Nov/13 ]

The same goes for DNS name comparison when doing SSL server hostname validation, see linked ticket.

Generated at Thu Feb 08 03:24:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.