Recipe17.19.Achieving Secure Unicode Encoding


Recipe 17.19. Achieving Secure Unicode Encoding

Problem

You want to make sure that your UnicodeEncoding or UTF8Encoding class detects any errors, such as an invalid sequence of bytes.

Solution

Use the constructor for the UnicodeEncoding class that accepts three parameters:

 UnicodeEncoding encoding = new UnicodeEncoding(false, true, true); 

Or use the constructor for the UTF8Encoding class that accepts two parameters:

 UTF8Encoding encoding = new UTF8Encoding(true, true); 

Discussion

The final argument to both these constructors should be TRue. This turns on error detection for this class. Error detection will help when an attacker somehow is able to access and modify a Unicode-or a UTF8-encoded stream of characters. If the attacker is not careful she can invalidate the encoded stream. If error detection is turned on, it will be a first defense in catching these invalid encoded streams.

When error detection is turned on, errors such as the following are dealt with by throwing an ArgumentException:

  • Leftover bytes that do not make up a complete encoded character sequence exist.

  • An invalid encoded start character was detected. For example, a UTF8 character does not fit into one of the following classes: Single-Byte, Double-Byte, Three-Byte, Four-Byte, Five-Byte, or Six-Byte.

  • Extra bits are found after processing an extra byte in a multibyte sequence.

  • The leftover bytes in a sequence could not be used to create a complete character.

  • A high surrogate value is not followed by a low surrogate value.

  • In the case of the GetBytes method, the byte[] that is used to hold the resulting bytes is not large enough.

  • In the case of the GetChars method, the char[] that is used to hold the resulting characters is not large enough.

If you use a constructor other than the one shown in this recipe or if you set the last parameter in this constructor to false, any errors in the encoding sequence are ignored and no exception is thrown.

See Also

See the "UnicodeEncoding Class" and "UTF8Encoding Class" topic in the MSDN documentation.



C# Cookbook
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
ISBN: 0596003943
EAN: 2147483647
Year: 2004
Pages: 424

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net