If my understanding is correct, under certain circumstances FPC now
considers the dynamic codepage of a string and propagates information
across operations.
I wonder whether this would be a good time to introduce some form of
taint marking, i.e. a flag indicating that a string is of external
origin which propagates until a (trusted) function asserts that it's
been fully checked?
(I've been planning to ask this for a few days, but have just noticed
http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/
which might have been intended as an "April Fool" joke but still makes a
good point.)
--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk
[Opinions above are the author's, not those of his employers or colleagues]
_______________________________________________
fpc-devel maillist - fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
