On Tue, Sep 8, 2009 at 7:46 PM, Chris Hostetter <hossman_luc...@fucit.org> wrote: > if the container can't correctly output > some characters, i see no reason to hide the bug
Another problem is that it won't reliably break. The bug breaks our encapsulation (before the patch) and thus the client reads the wrong number of chars for the string, and who knows what happens after that. The majority of the time will result in an exception, but it really depends. This is the type of stuff (buffer underflows / overflows) that could be used to mess with security too... a carefully crafted request could inject / change fields in the response and have it look valid. -Yonik http://www.lucidimagination.com
