On Thu, Jan 12, 2023 at 07:08:05AM -0800, Andy Bierman wrote: > > Just because the escaped string is "safe" inside a NETCONF protocol message > does not mean it is safe to use in other tools. Data (especially list keys) > gets moved > between software programs. Unrestricted strings increase the risk of data > injection attacks. >
Sorry, broken code that does not handle inputs of unexpected length can't be secured by standardizing arbitrary limits. The only option is to fix the broken code. Code that fails to validate its inputs can't be fixed by arbitrary limits and the pure hope that the broken code will never see something causing it to crash. /js -- Jürgen Schönwälder Constructor University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/> _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
