> On Dec 29, 2022, at 11:43 AM, Alan Coopersmith =
<alan.coopersmith@oracle.com> wrote:


Another solution is to escape bytes that might cause trouble in this =
field, e.g., using %xx hexadecimal.
So space would be %20, ")" would be %41, control characters 1-31 would =
be %01 to %1f,
and (of course) "%" would be encoded as %25.
Basically, URL-encode / Percent-encode them. See: =
https://en.wikipedia.org/wiki/Percent-encoding

Technically this would be a userspace change, but only in cases where =
the system
would probably have done the wrong thing previously. It's okay if we =
break *attacker* workflows
as long as we don't break others'. An advantage of URL encoding is that,
like JSON, it's a well-known format. I might do something different if =
this was a new system,
but that seems like the least-impact approach while eliminating the =
problem.

--- David A .Wheeler