String manipulation bugs
Posted Feb 6, 2011 19:08 UTC (Sun) by man_ls
In reply to: LCA: Lessons from 30 years of Sendmail
Parent article: LCA: Lessons from 30 years of Sendmail
(2) what are you left with when you exclude all the unnecessary and possibly dangerous operations? Not much.
strings. As seen in Java, Python or Lua. Safe, flexible, and only occasionally slow enough to use other options. If you remove the main cause for the most common security bug, and nobody complains, then in my book that is a good decision.
There are probably several times more remote execution bugs in scripting language built applications than C applications, just because of improper use of strings.
String manipulation bugs I can live with. Security holes are unacceptable. A language where every bug must be considered a security bug is too hard for me.
to post comments)