On 30/01/21 11:43 pm, Michael Van Canneyt via fpc-pascal wrote:


On Sat, 30 Jan 2021, Noel Duffy via fpc-pascal wrote:


Lastly, a minor point: in the source for netdb.pp there's a comment warning of 
stringfromlabel's lack of checks. Since it now has a good few checks, I think 
this warning is superfluous. But I didn't want to remove it without checking, 
in case there's more to it than meets the eye.

I also noticed this, but decided to leave it for the moment. if you feel it can 
be removed, I'll trust your judgment on that.

My vote is to remove the comment. While it may have been justified in the past, 
the current version of stringfromlabel is reasonably robust and resilient to 
the most obvious kinds of attack, in my opinion. Now, I'm not a security 
researcher and haven't done any serious fuzzing attacks against it, so all I 
can say is that stringfromlabel is about as safe as the rest of the code in 
netdb.pp.

_______________________________________________
fpc-pascal maillist  -  fpc-pascal@lists.freepascal.org
https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

Reply via email to