As software vendors move to international markets, they internationalize their products. Unfortunately, this process introduced many bugs.
Converting string between locales The following function converts strings between different locales:
void ICUConvertString(ICULocale toLocale, char* toBuf, int lenToBuf,
ICULocale fromLocale, char* fromBuf, int
lenFromBuf);To use this function safely, the caller must ensure the following:
toBuf and fromBuf are different. This
is because the same string may have different lengths in different
locales, so in-place conversion is unsafe.lenToBuf is at least the number of
characters in fromBuf times the maximum length of any
character in the new locale. This is because a character may have
different lengths in different locales.Converting string in the same locale A function for converting a string to uppercase is:
/* lenFromBuf = -1 means do a strlen on the buf */
int ICUMapString(ICULocale locale, char* toBuf, int lenToBuf, char* fromBuf,
int lenFromBuf);To use this function safely, the caller must not use the same string
for both toBuf and fromBuf, because
an uppercase character may have a different length than its lowercase
counterpart even in the same locale.
Traversing multibyte character stringA program should not traverse a multibyte character string by bytes, such as:
str++; or str--;str+=len; unless len is the
return value of strlen() or
ICUByteLength()strstr(const char *haystack, const char *needle);Traversing string backwardCertain character encodings prohibit a program from traversing strings backward, because the program cannot determine the length of the previous character.
Localized time If a program
needs to localize date and time, it should not call
printf() on the return values of
localtime().
Database clients sometimes send their passwords to the server insecurely.
Disclosing passwords via
execAn application program may connect to a local
database by invoking a program via an exec-like system call and
provide a username and password as arguments to the call. This is
insecure, because every user on the local system can view the command
line arguments, which contain the username and password, of the
invoked program.
Sending plaintext password over the networkWhen an application program connects to a remote database via the network, it must encrypt its password before sending the password over the network.
| Hao Chen | <hchen |
AT | cs.ucdavis.edu> |