UTF-8 is a variable-width encoding for Unicode. UTF-8 uses one to four bytes per character, depending on the Unicode symbol. UTF-8 has the following properties.
- The classical US-ASCII characters (0 to 0x7f) encode as themselves, so files and strings that are encoded with ASCII values have the same encoding under both ASCII and UTF-8.
- All UCS characters beyond (0x7f) are encoded as a multibyte sequence consisting only of bytes in the range of 0x80 to 0xfd. This means that no ASCII byte can appear as part of another character.
- It's eas to convert between UTF-8 and UCS-2 and UCS-4 fixed-width representations of characters.
- The lexicographic sorting order of UCS-4 strings is preserved.
- All possible 2^31 UCS codes can be encoded using UTF-8
Generally, all programs should perform checks for any UTF-8 data for UTF-8 legality before performing other checks. The table below listed all Legal UTF-8 Sequences.
UCS Code (HEX)
|
Binary UTF-8 Format |
Legal UTF-8 Values (HEX) |
00-7F |
0xxxxxxx
|
00-7F |
80-7FF |
110xxxxx 10xxxxxx |
C2-DF 80-BF |
800-FFF |
1110xxxx 10xxxxxx 10xxxxxx |
E0 A0*-BF 80-BF |
1000-FFFF |
1110xxxx 10xxxxxx 10xxxxxx |
E1-EF 80-BF 80-BF |
10000-3FFFF |
11110xxx 10xxxxxx 10xxxxxx 10xxxxxx |
F0 90*-BF 80-BF 80-BF |
40000-FFFFFF |
11110xxx 10xxxxxx 10xxxxxx 10xxxxxx |
F1-F3 80-BF 80-BF 80-BF |
40000-FFFFFF |
11110xxx 10xxxxxx 10xxxxxx 10xxxxxx |
F1-F3 80-BF 80-BF 80-BF |
100000-10FFFFF |
11110xxx 10xxxxxx 10xxxxxx 10xxxxxx |
F4 80-8F* 80-BF 80-BF |
|
Security Related Issues
The UTF-8 encoding scheme is fairly simple, but there are a few clarifications that are important for security reasons. One of the most important ones is the requirement that only the "shortest" form of UTF-8 should be permitted. Naive decoder may accept encoding that are longer than necessary, this means that potentially dangerous input could be represented multiple ways, and this will defeat the security checking for dangerous inputs. For example:
- Process A perfoms security checks, but does not check for non-shortest UTF-8 forms.
- Process B accepts the byte sequence from process A, and transform it into UTF-16 while interpreting possible non-shortest forms.
- The UTF-16 text may then contain characters that should have been filtered out by process A, and could potentially be dangerous.
Another requirement is that encoding of individual or out of order surrogate halves should not be permitted.
Reference
- The RFC describes the problem this way: Implementers of UTF-8 need to consider the security aspects of how they handle illegal UTF-8 sequences. It is conceivable that in some circumstances an attacker would be able to exploit an incautious UTF-8 parser by sending it an octet (byte) sequence that is not permitted by the UTF-8 syntax. A particularly subtle form of this attack could be carried out against a parser which which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as a character. For example, a parser might prohibit the NUL character when encoded as single-octet sequence 00, but allow the illegal two-octet sequence C0 80 (illegal because it's longer than necessary) and interpret it as a NUL character (00). Another example might be a parser which prohibits the octet sequence 2F 2E 2E 2F ("/../"), yet permits the illegal octet sequence 2F c) AE 2E 2F.
- http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/character-encoding.html