Closed hannahwhy closed 13 years ago
Yeah, it's pretty gruesome:
https://gist.github.com/a19b7f7a622ab7b12396
I'm not really too worried about this, though. CAS responses in UTF-16 will not lead to false positives for authentication; rather, it'll lead to (admittedly very messy) authentication failures. The failure mode can be improved by (a) handling UTF-16 or (b) rescuing on receipt of invalid UTF-8. ((b) is really necessary, anyway, because there's no guarantee that a CAS client will receive valid UTF-8.)
Additionally, UTF-8 is definitely the popular option for protocols (and, really, many other things that deal with character sets besides), so although I have absolutely no data to back this up, I think this problem will be rarely hit in practice, if at all.
Castanet's response parsers assume UTF-8-encoded data, and will likely break pretty spectacularly if given UTF-16. UTF-16 is legal in XML documents, so this might be a problem.
(I've yet to use a CAS server that issues responses containing entities encoded in UTF-16, but that certainly does not mean they don't exist.)