Applications should diagnose but not "correct" user errors, and should use comoon system services to do so, where they exist. OS developers should provide services for validation. Neither application developers nor OS developers should attempt to validate externally defined data unless they *REALLY* know what the rules are: that means hands off of names and e-mail addresses if you don't know in detail what is permitted in every culture and in the relevant RFCs.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Paul Gilmartin <[email protected]> Sent: Wednesday, September 30, 2020 9:39 AM To: [email protected] Subject: Re: blanks at the end of Unix file names - was LMINIT cannot handle concatenation with more than 16 data sets? On Wed, 30 Sep 2020 08:01:09 -0500, Walt Farrell wrote: >On Tue, 29 Sep 2020 16:59:34 -0700, Charles Mills wrote: > >>Applications should not "validate" filenames before attempting to open or >>create a file. Present the name to the file system API and report any error >>back to the user. Application filename validation is what leads to these >>inconsistencies. > >I will strongly agree with that, Charles. > However, queue latency provides a (weak) motive for the reader to perform syntax checking so gross errors can be reported promptly. >It goes along with not trying to pre-check the security results ... > Previously, you've mentioned TOCTTOU. Some monitors harshly investigate failed access attempts. For consistency they should likewise investigate security queries with negative results lest a (fe)malefactor try to avoid causing alarms. On Wed, 30 Sep 2020 07:56:57 -0500, Walt Farrell wrote: > >RACF required applications to present the password in upper-case, so the >applications were not at fault for doing so. Blame RACF for that one. > Applications should not attempt to correct user errors. I blame them on that account. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
