[fpc-pascal] Processing passwords etc.
Mark Morgan Lloyd
markMLl.fpc-pascal at telemetry.co.uk
Fri Apr 11 10:15:17 CEST 2014
Michael Van Canneyt wrote:
> On Fri, 11 Apr 2014, Mark Morgan Lloyd wrote:
>
>> Is my understanding correct that when a string or a dynamic array is
>> extended it might result in its existing content being released to the
>> heap?
>>
>> If so, is it possible to ensure that this is zeroed or randomised
>> first, without having to do it manually?
>
> Currently not, although such behaviour could easile be introduced as an
> option.
>
> Current HeartBleed frenzy getting you (or your bosses) scared ? :)
:-) No, but I don't think enough people are focussing on the real
problem which is that the OpenSSL developers were letting sensitive data
leak to the freelist.
If, when they wrote the code some years ago, they'd been rigorous in
their handling of passwords and private keys then the current bug-
introduced in 2012- would have been far less serious.
--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk
[Opinions above are the author's, not those of his employers or colleagues]
More information about the fpc-pascal
mailing list