Re: Security

From: Maciej Katafiasz <mathrick@xxxxxxxxx>
Date: Thu, 31 Jan 2008 14:29:36 +0000 (UTC)

Den Thu, 31 Jan 2008 15:23:33 +0100 skrev Jeronimo Pellegrini:

- Although with (safety 1) you can't really crash the application,

Sure you can: just put some bugs in your code. Forget to convert an
input string into a number somewhere, before doing some maths on it?
Easy, peasy.

Hm, yeash, sounds like fun.
So, not using (safety 0), plus being careful when using (coerce) and
other functions that would bypass type safety.

Coerce doesn't bypass type safety, quite the opposite. The bug here would
be calling an arithmetic function on a string (which results in TYPE-
ERROR), instead on of on a converted value of that string.

Cheers,
Maciej
.

Follow-Ups:
- Re: Security
  - From: Jeronimo Pellegrini

References:
- Security
  - From: Steve-o
- Re: Security
  - From: Jeronimo Pellegrini
- Re: Security
  - From: Andrew Reilly
- Re: Security
  - From: Jeronimo Pellegrini

Prev by Date: Re: Security
Next by Date: Re: Formatting large numbers with ~g?
Previous by thread: Re: Security
Next by thread: Re: Security
Index(es):
- Date
- Thread

Relevant Pages

Re: Crazy Testing ideas
... > interesting bugs? ... Something on the lines of Shoe testing as James Bach ... Each test has some cost and and some value. ... string, then copying it ten times; then copy the new string ten times; ...
(comp.software.testing)
Re: NullPointerException
... > language in which it's not possible to observe a null value. ... I haven't written a programming language for ages. ... String getAddress(); ... My point of view is of someone who wants to reduce bugs. ...
(comp.lang.java.programmer)
Re: Psql .NET Provider bug list
... Using PsqlDataAdapter in conjunction with stored procedures for every ... This does not happen when the field is set to a string value instead of ... The .NET provider reference states that LongVarChar is mapped ... As with all bugs I submit here, these do not occur when using the ...
(comp.databases.btrieve)
Re: What *is* a CtrlID?
... This is an infinite loop. ... Basically, I found that just using signed integer even for data that is unsigned in his nature (like a length of a string), saves from subtle bugs. ... ; but store this variable in a signed 'int'.) ...
(microsoft.public.vc.mfc)
Fedora Bug Day Tomorrow: Feb 4th 2004: the strings they are achangin
... Basically that means finding bugreports that talk about bugs in user ... a text string that could be reworded after the string change deadline, ... No Clue What I'm talking about when I say the phrase Fedora Triage? ...
(Fedora)