LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

String manipulation bugs

String manipulation bugs

Posted Feb 6, 2011 19:08 UTC (Sun) by man_ls (subscriber, #15091)
In reply to: LCA: Lessons from 30 years of Sendmail by wahern
Parent article: LCA: Lessons from 30 years of Sendmail

(2) what are you left with when you exclude all the unnecessary and possibly dangerous operations? Not much.
Immutable strings. As seen in Java, Python or Lua. Safe, flexible, and only occasionally slow enough to use other options. If you remove the main cause for the most common security bug, and nobody complains, then in my book that is a good decision.
There are probably several times more remote execution bugs in scripting language built applications than C applications, just because of improper use of strings.
String manipulation bugs I can live with. Security holes are unacceptable. A language where every bug must be considered a security bug is too hard for me.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds