[fpc-devel] Dynamic codepages etc.
Sven Barth
pascaldragon at googlemail.com
Thu Dec 11 11:39:18 CET 2014
Am 11.12.2014 10:36 schrieb "Mark Morgan Lloyd" <
markMLl.fpc-devel at telemetry.co.uk>:
>
> If my understanding is correct, under certain circumstances FPC now
considers the dynamic codepage of a string and propagates information
across operations.
>
> I wonder whether this would be a good time to introduce some form of
taint marking, i.e. a flag indicating that a string is of external origin
which propagates until a (trusted) function asserts that it's been fully
checked?
>
> (I've been planning to ask this for a few days, but have just noticed
http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/
which might have been intended as an "April Fool" joke but still makes a
good point.)
It's not the compiler's or RTL's job to ensure that your inputs are valid
and not malicious, so there is no need to burden it with additional data.
And if we'd open that door, what would come next?
Regards,
Sven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freepascal.org/pipermail/fpc-devel/attachments/20141211/7f2a3783/attachment.html>
More information about the fpc-devel
mailing list