IgorShare Thoughts and Ideas

Consulting and Training

Did you know: using ToLower on a Unicode text can cause a security problem?

Posted by Igor Moochnick on 01/26/2008

Recently watched the latest DnrTV show #97 (love them!) with Kathleen Dollard (check her blog Leaning Into Windows). Great show! Kathleen went through a lot of things that are rarely used in the day-to-day projects but, if overlooked, can cause a serious problem and put the whole project/product at risk. Here are 2 that are really worth remembering:

1. In a product that works with Unicode strings (Localized) and do a lot of string comparisons, it’s better to use ToUpper than ToLower. ToUpper will not work correctly for a couple of languages, but ToLower, not only fail for more languages, but, also, can expose a bunch of security problems within Unicode implementation.

2. Do not write ANY code that changes variables in a partial method call. If a partial method implementation will be removed – such code will be removed as well and will cause an unpredictable result. To understand this check out the following code snippet:

   1: partial void PrintNum(int n);
   3: public int AddWithIncrement(int a, int b)
   4: {
   5:    PrintNum(a++);
   6:    return a+b;
   7: }


Let’s say that a=1 and b=2. If the PrintNum method will have a declaration, then the AddWithIncrement function will return 4. On the other hand, if the declaration of PrintNum will be removed, the compiler will remove (ignore) the whole line #5 (PrintNum(a++)), hence the a++ will not be executed and AddWithIncrement function will return 3.

So, be careful, you have been warned!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: