IonicWind Software

IWBasic for Linux => General IWLP Discussion => Topic started by: Rock Ridge Farm (Larry) on December 05, 2019, 06:00:06 AM

Title: Need input
Post by: Rock Ridge Farm (Larry) on December 05, 2019, 06:00:06 AM
While working on the new compiler I discovered a security bug - I think.
When using the print statement:
    print "hello"
    buffer = "hi there"
    print buffer
The statement 'print buffer' is a hack point.
warning: format string is not a string literal
      (potentially insecure)

Now my question to the members:
Do many people use the format "print buffer".
1. Should I just provide the above security warning at compile time?
2. Should I disallow the use of that format?

I do have a possible fix by changing the produced bytecode but it is a bit involved.

Anyway just thinking - opinions???

Larry

 
Title: Re: Need input
Post by: ckoehn on December 05, 2019, 06:40:48 AM
I hate to slow you down because I am anxiously awaiting the new compiler, but I think it would be advantageous to make it as secure as possible.  Just my thoughts.

Later,
Clint
Title: Re: Need input
Post by: LarryMc on December 05, 2019, 07:18:54 PM
Quote from: ckoehn on December 05, 2019, 06:40:48 AMI hate to slow you down because I am anxiously awaiting the new compiler, but I think it would be advantageous to make it as secure as possible.  Just my thoughts.

Later,
Clint

I agree with Clint.
Title: Re: Need input
Post by: Andy on December 06, 2019, 05:28:20 AM
Hi,

Yes, I have used Print Buffer in the past, so anything you can do to make it more secure would be a big help to us all.

Andy.