While working on the new compiler I discovered a security bug - I think.
When using the print statement:
print "hello"
buffer = "hi there"
print buffer
The statement 'print buffer' is a hack point.
warning: format string is not a string literal
(potentially insecure)
Now my question to the members:
Do many people use the format "print buffer".
1. Should I just provide the above security warning at compile time?
2. Should I disallow the use of that format?
I do have a possible fix by changing the produced bytecode but it is a bit involved.
Anyway just thinking - opinions???
Larry
I hate to slow you down because I am anxiously awaiting the new compiler, but I think it would be advantageous to make it as secure as possible. Just my thoughts.
Later,
Clint
Quote from: ckoehn on December 05, 2019, 06:40:48 AMI hate to slow you down because I am anxiously awaiting the new compiler, but I think it would be advantageous to make it as secure as possible. Just my thoughts.
Later,
Clint
I agree with Clint.
Hi,
Yes, I have used Print Buffer in the past, so anything you can do to make it more secure would be a big help to us all.
Andy.