Am 11.12.2014 10:36 schrieb "Mark Morgan Lloyd" < markmll.fpc-de...@telemetry.co.uk>: > > If my understanding is correct, under certain circumstances FPC now considers the dynamic codepage of a string and propagates information across operations. > > I wonder whether this would be a good time to introduce some form of taint marking, i.e. a flag indicating that a string is of external origin which propagates until a (trusted) function asserts that it's been fully checked? > > (I've been planning to ask this for a few days, but have just noticed http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/ which might have been intended as an "April Fool" joke but still makes a good point.)
It's not the compiler's or RTL's job to ensure that your inputs are valid and not malicious, so there is no need to burden it with additional data. And if we'd open that door, what would come next? Regards, Sven
_______________________________________________ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
