[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Code Review Guidelines (draft)
Bernd Eckenfels wrote:
| > Much better, look at rfc822. (I wouldn't consider *anything* that
| > has the word "sendmail" in it a good reference).
|
| its much better if you dont rely on the content of the string at all. Dont
| use sh -c or system and you will be save. Simply asume that all characters
| are valid in user suplied strings and treat them exactly that way... If they
| need to be exporeted then unfortunately they need to be 'untainted' and this
| should be done by positive not negative lists as mentioned in the
| guidelines.
Not passing untainted data to system is clearly a very good
idea.
Less clear is how much other parsing should be done. I like
extreme parsing (when its cheap; as Marcus Watts pointed out,
verifying remote hostnames & usernames can be expensive). If you
don't strongly verify data on the way in, it can get to other places
not so careful about its contents. This is why I chose to recommend
against accepting a wide variety of legit email address formats;
because they will be passed back to a database that assumes that the
addresses have been sanitized, and are in [email protected] format, and not
treat them with the care they deserve.
In an ideal world, programmers would be careful with the data
they get, but we don't live in an ideal world. I choose to suggest
paranoia over inclusiveness, but am adding an appendix discussing
issues of mail addressing.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume