lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F9C95C1.5030907@hutley.net>
From: brett at hutley.net (Brett Hutley)
Subject: Coding securely, was Linux (in)security

Chris Eagle wrote:

>>-----Original Message-----
>>From: full-disclosure-admin@...ts.netsys.com
>>[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Paul Schmehl
>>...
>>
>>But it shouldn't be the job of the writer of a subroutine to verify the
>>inputs.  The writer of a subroutine defines what the appropriate inputs to
>>that routine are, and it's up to the *user* of that subroutine to use it
>>properly.  The entire concept behind OOP is that you cannot know what's in
>>the "black box" you're using.  That makes it incumbent on you as the
> 
> *user*
> 
>>of a subroutine to use the correct inputs and to *verify* those inputs
> 
> when
> 
>>necessary.
>>
> 
> 
> That is the most backward thing I have ever heard.  So you are saying all I
> need to do as a programmer is tell you not to pass a negative number/null
> pointer/un-initialized value... to my function and I am off the hook.  All I
> can say is that I am glad utdallas doesn't have you teaching programming.
> The fact that you are unaware what lies inside the black box in no way
> relieves the responsibility of the designer of the black box to make sure
> that it behaves predictably under all input cases.

So you're saying I don't need to worry if a file pointer is NULL before 
passing it through to fprintf()? So I don't need to worry if an argument 
to strcpy() is NULL? Or are you trying to say that the standard library 
is badly written?

-- 
Brett Hutley [MAppFin,CISSP,SANS GCIH]
mailto:brett@...ley.net
http://hutley.net/brett



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ