October 20, 2020, 08:05:09 am

News:

Own IWBasic 2.x ? -----> Get your free upgrade to 3.x now.........


Need input

Started by Rock Ridge Farm (Larry), December 05, 2019, 06:00:06 am

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Rock Ridge Farm (Larry)

While working on the new compiler I discovered a security bug - I think.
When using the print statement:
    print "hello"
    buffer = "hi there"
    print buffer
The statement 'print buffer' is a hack point.
warning: format string is not a string literal
      (potentially insecure)

Now my question to the members:
Do many people use the format "print buffer".
1. Should I just provide the above security warning at compile time?
2. Should I disallow the use of that format?

I do have a possible fix by changing the produced bytecode but it is a bit involved.

Anyway just thinking - opinions???

Larry

 

ckoehn

I hate to slow you down because I am anxiously awaiting the new compiler, but I think it would be advantageous to make it as secure as possible.  Just my thoughts.

Later,
Clint

LarryMc

Quote from: ckoehn on December 05, 2019, 06:40:48 amI hate to slow you down because I am anxiously awaiting the new compiler, but I think it would be advantageous to make it as secure as possible.  Just my thoughts.

Later,
Clint

I agree with Clint.
LarryMc
Larry McCaughn :)
Author of IWB+, Custom Button Designer library, Custom Chart Designer library, Snippet Manager, IWGrid control library, LM_Image control library

Andy

Hi,

Yes, I have used Print Buffer in the past, so anything you can do to make it more secure would be a big help to us all.

Andy.
Day after day, day after day, we struck nor breath nor motion, as idle as a painted ship upon a painted ocean.