Re: NCSA httpd 1.3

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Eiji Hirai: "Re: snooper watchers"
• Previous message: *Hobbit*: "httpd ..."
• Maybe in reply to: Kevin at Paranoia: "NCSA httpd 1.3"
• Next in thread: Jordan Hayes: "Re: NCSA httpd 1.3"

>However, perhaps another rule:
>    Avoid using strncat(dest, src, n) or strncpy(dest, src, n), etc, as they
>    _also_ do no checking on the max length of "dest", although 'n' can be
>    properly calculated & make them safe.
>
>Perhaps, instead, it's time to write a new series of string manipulators....
>ones that do the following:
>1)  Behave similarly to the existing functions (like sprintf(), strncat(),
>    strncpy(), but take an additional argument "destlen", which is (of course)
>    the max length of the destination string.
>2)  Do the string-function, but if the "dest" string will be overrun, return an
>    error code AND post to the syslog function.

Seems like this is begging for a "safe" string class for C++; I'm sure
that length-safe classes exist.  Subclass off that for "safer" classes
to handle the special characters a la the latest sendmail brouhaha.

[I conveniently ignore the fact that all the common source base out
 there is C (probably a lot of it not even ANSI), and the increased
 opportunities that C++ gives for obfuscated code.]

-- KH

• Next message: Eiji Hirai: "Re: snooper watchers"
• Previous message: *Hobbit*: "httpd ..."
• Maybe in reply to: Kevin at Paranoia: "NCSA httpd 1.3"
• Next in thread: Jordan Hayes: "Re: NCSA httpd 1.3"