Luckily, up until recently, data which violated the requirements wasn't easy to get in, but now it's more than easy:
a) a system I am aware of used to be green screen only and had validation to prevent unauthorized characters like commas in the presentation layer. Once the underlying transaction was made available to process transactions from the Internet, customers finally could manipulate this data. Someone didn't bother to eliminate "," as a valid character as it wasn't in the spec - they only had a few characters to eliminate and "," wasn't one of them. The comma upset the strip (batch data) file. Caused several abends and a lot of sleepless nights for the folks whilst they worked out how to get rid of this troublesome character from a multi-gigabyte file and successfully re-run the batch without re-processing already processed transactions.
b) I have spaces in my name. Galileo, the online booking system used by pretty much everyone is written on top of TPS, an old (and I mean OLD - it's older than me) OS for IBM mainframes. TPS is written in assembly language, as is most of the Galileo transactions for freight and self-loading freight (humans). If you try like me to enter the legally required spaces in your name as often as you can, it's nearly funny the number of times I've had to get manual assistance to get on planes and through the TSA checkpoint. I'm sure it's because Galileo doesn't handle spaces properly. I wonder what other characters it doesn't like.
c) The EOF marker in EBCDIC works real well. If your outside program can send it in a field and it doesn't mean anything to anyone ... until it hits a file, you can cause a lot of problems, particularly with batch driven systems. Luckily, most front end systems I come across don't know what to do with low ASCII entries and either don't pass it on, or fail to translate it properly, thus preventing a workable attack.
thanks, Andrew
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________