[SERVER-10897] User and role names should be canonicalized by the server using Unicode canonicalization form NFC Created: 25/Sep/13 Updated: 06/Dec/22 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andy Schwerin | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
Unicode specification, chapter 3. Section 3.11 discusses the canonicalization forms: http://www.unicode.org/versions/Unicode6.2.0/ch03.pdf In essence, if a sophisticated user looking at two user or role names cannot distinguish them without looking at the sequence of code points used to encode them, applications and drivers will be at risk of producing the wrong byte string based on user input, preventing log-in, or identifying the incorrect user or role. |
| Comments |
| Comment by Andreas Nilsson [ 06/Nov/13 ] |
|
The same goes for DNS name comparison when doing SSL server hostname validation, see linked ticket. |