On Wed, 30 Sep 2020 08:01:09 -0500, Walt Farrell wrote: >On Tue, 29 Sep 2020 16:59:34 -0700, Charles Mills wrote: > >>Applications should not "validate" filenames before attempting to open or >>create a file. Present the name to the file system API and report any error >>back to the user. Application filename validation is what leads to these >>inconsistencies. > >I will strongly agree with that, Charles. > However, queue latency provides a (weak) motive for the reader to perform syntax checking so gross errors can be reported promptly.
>It goes along with not trying to pre-check the security results ... > Previously, you've mentioned TOCTTOU. Some monitors harshly investigate failed access attempts. For consistency they should likewise investigate security queries with negative results lest a (fe)malefactor try to avoid causing alarms. On Wed, 30 Sep 2020 07:56:57 -0500, Walt Farrell wrote: > >RACF required applications to present the password in upper-case, so the >applications were not at fault for doing so. Blame RACF for that one. > Applications should not attempt to correct user errors. I blame them on that account. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
