[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Code Review Guidelines (draft)



Bernd Eckenfels wrote:

| >     Much better, look at rfc822.  (I wouldn't consider *anything* that
| > has the word "sendmail" in it a good reference).
| 
| its much better if you dont rely on the content of the string at all. Dont
| use sh -c or system and you will be save. Simply asume that all characters
| are valid in user suplied strings and treat them exactly that way... If they
| need to be exporeted then unfortunately they need to be 'untainted' and this
| should be done by positive not negative lists as mentioned in the
| guidelines.

	Not passing untainted data to system is clearly a very good
idea.

	Less clear is how much other parsing should be done.  I like
extreme parsing (when its cheap; as Marcus Watts pointed out,
verifying remote hostnames & usernames can be expensive).  If you
don't strongly verify data on the way in, it can get to other places
not so careful about its contents.  This is why I chose to recommend
against accepting a wide variety of legit email address formats;
because they will be passed back to a database that assumes that the
addresses have been sanitized, and are in [email protected] format, and not
treat them with the care they deserve.

	In an ideal world, programmers would be careful with the data
they get, but we don't live in an ideal world.  I choose to suggest
paranoia over inclusiveness, but am adding an appendix discussing
issues of mail addressing.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume