On 16.04.2016 20:48, FreeSlave wrote:
github repo: https://github.com/MyLittleRobo/mimeapps (examples included)


You've got some bad `@trusted`s in your code:


<https://github.com/MyLittleRobo/mimeapps/blob/03b53ce35d2f4f56fdf76e0b6f5c681660b9d23a/source/mimeapps.d#L29>:

The constraint allows user-defined types that implicitly convert to const(char)[] via alias this. Such a type may, for example, have an unsafe opAssign, which you're mistakenly trusting here.


<https://github.com/MyLittleRobo/mimeapps/blob/03b53ce35d2f4f56fdf76e0b6f5c681660b9d23a/source/mimeapps.d#L191>,
<https://github.com/MyLittleRobo/mimeapps/blob/03b53ce35d2f4f56fdf76e0b6f5c681660b9d23a/source/mimeapps.d#L308>:

Similarly, IniLikeReader may do unsafe stuff and can't be trusted.


Related libraries:

https://github.com/MyLittleRobo/desktopfile - reading and executing
.desktop files.
https://github.com/MyLittleRobo/mime - parsing shared MIME type database
and detecting MIME types of files.

These have bad `@trusted`s, too. I'm not going to go over all of them, but here are some examples:


<https://github.com/MyLittleRobo/desktopfile/blob/1f2e7a4162493ef292b4c23b152875d83f84a89a/source/desktopfile/utils.d#L754>,
<https://github.com/MyLittleRobo/desktopfile/blob/1f2e7a4162493ef292b4c23b152875d83f84a89a/source/desktopfile/file.d#L705>,
<https://github.com/MyLittleRobo/desktopfile/blob/1f2e7a4162493ef292b4c23b152875d83f84a89a/source/desktopfile/file.d#L718>:

Trusting template arguments again.


<https://github.com/MyLittleRobo/mime/blob/c781948be3ba3f43fa4974592e6a7d7534baaeeb/source/mime/cache.d#L44>:

Reversing the bytes of arbitrary data, including pointers, is not memory-safe.

Reply via email to