On 30/01/21 11:43 pm, Michael Van Canneyt via fpc-pascal wrote:
On Sat, 30 Jan 2021, Noel Duffy via fpc-pascal wrote:
Lastly, a minor point: in the source for netdb.pp there's a comment warning of
stringfromlabel's lack of checks. Since it now has a good few checks, I think
this warning is superfluous. But I didn't want to remove it without checking,
in case there's more to it than meets the eye.
I also noticed this, but decided to leave it for the moment. if you feel it can
be removed, I'll trust your judgment on that.
My vote is to remove the comment. While it may have been justified in the past,
the current version of stringfromlabel is reasonably robust and resilient to
the most obvious kinds of attack, in my opinion. Now, I'm not a security
researcher and haven't done any serious fuzzing attacks against it, so all I
can say is that stringfromlabel is about as safe as the rest of the code in
netdb.pp.
_______________________________________________
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal