Hi Stas, On Thu, Nov 20, 2014 at 10:28 AM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> > I like this RFC overall. Precise parameter checks is good for security > > always. > > I don't see how it matters for security at all. If you need an int, > (int) works as well as any proposed check, security-wise. You may want > different diagnostics, etc. but this doesn't have to do much with > security. In other words, if the security depends on any differences > between (int) and to_int, it's probably not done right. Please refer to CWE/SANS TOP 25, Monster Mitigation especially. http://cwe.mitre.org/top25/#Mitigations and ISO 27000. (I cannot provide link to it, since one should buy the document to read) Programmer should control over all inputs as the most important security measure. There are two strategies in general. - Convert inputs to secure values and ignore possible attacks. (Sanitization) - Validate inputs to reject malformed values and record possible attacks. (Validation and logging) (int) is sanitization. It works, but it cannot log/detect possible attack (or bug). to_int can be used as validation. It has advantage to record possible attack (or bug). Logging is one of important security feature. Therefore, validation could be said more secure than sanitization. Which strategy to adopt is that depends on organization/application policy. Public web sites may ignore invalid inputs due to large amount of attacks while private web sites may require to record all possible attacks (or bugs), for example. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
