No registered users in community xowiki
in last 10 minutes
in last 10 minutes
Re: [Xotcl] Very severe limitation in XOTcl
From: Kristoffer Lawson <setok_at_scred.com>
Date: Wed, 4 Aug 2010 12:07:34 +0300
On 4 Aug 2010, at 10:08, mail_at_xdobry.de wrote:
> Hi!
>
> I found a work around according to xotcl documentation.
>
> Foo new [list -init $a]
Thanks yes, as tired as I was last night, I didn't come up with that. The thing is, that basically has to be done all the time if you are passing in variables. Obviously any time you pass user-generated string, but also in other cases as well when you can't be 100% sure of the content (and often you can't). I probably have hundreds of places where this can cause a bug, at best, and a security hole, at worst.
Using [list -init <vars>] all the time does not, to me, sound like elegant programming. I use the dash feature much more infrequently than just plain instantiation. Besides, you are at risk even with the dash feature, if you pass it an argument...
I'm not exactly sure even how I would solve this for XOTcl. Any special argument syntax is always going to be at risk. As mentioned, even arguments to the dash values are risky. In that respect I would consider dropping the whole feature. It's that risky.
Date: Wed, 4 Aug 2010 12:07:34 +0300
On 4 Aug 2010, at 10:08, mail_at_xdobry.de wrote:
> Hi!
>
> I found a work around according to xotcl documentation.
>
> Foo new [list -init $a]
Thanks yes, as tired as I was last night, I didn't come up with that. The thing is, that basically has to be done all the time if you are passing in variables. Obviously any time you pass user-generated string, but also in other cases as well when you can't be 100% sure of the content (and often you can't). I probably have hundreds of places where this can cause a bug, at best, and a security hole, at worst.
Using [list -init <vars>] all the time does not, to me, sound like elegant programming. I use the dash feature much more infrequently than just plain instantiation. Besides, you are at risk even with the dash feature, if you pass it an argument...
I'm not exactly sure even how I would solve this for XOTcl. Any special argument syntax is always going to be at risk. As mentioned, even arguments to the dash values are risky. In that respect I would consider dropping the whole feature. It's that risky.
-- Kristoffer Lawson, Co-Founder, Scred // http://www.scred.com/