Talk:Secure programming

From Lazarus wiki
Jump to navigationJump to search
var
  sName : String[10];
  ....
  sName :=  'abcdefghijklmnopqrstuvwxyz' ;
  ....

won't create any trouble. The compiler knows how long strings are when storing data. --FPK 23:32, 25 Feb 2005 (CET)

As I said, it's just a static example that even the compiler will find out... But first we need to understand what is a buffer overflow in order to know how to make a better workaround :) --ik_5

Is there some code that would

  1. illustrate buffer overflow problem
  2. not be detected by a range checking during runtime?

--Ruza 06:19, 26 Feb 2005 (CET)

Ruza, the "Secure programming" page is about how to write a good code vs bad code that can cuse to a security risks in your networks, computer or to a data. Memory leak is not a security risk (unless in some way the data in an unclean data does expose to someone). It's only a bug... I will keep your section and rephrase your writing in the weekend so it will be better :) But please keep on contributing to this section :) Thanks,

--ik_5

The memory leak can be actually a risk as it is depleting resources. In multitasking environment this may influence a system performance. It can be used for attacks as it can lead to denial of service as processes are swapped in and out of memory. The timing change can help with exploiting race conditions.

Other resource leaks can be dangerous too. Example can be allocating all inodes on a file system or opening all available sockets. Whole system can be rendered unusable this way.

Security can be defined in different ways. Usually security targets are defined before the security is evaluated. If there is an availability security target then timing issues can play a significant role in marking system secure or insecure.

Would you say that ATM spitting your credit card after six hours o inactivity is secure?

--Ruza 04:55, 2 Mar 2005 (CET)

Examples of correct code

Could we add examples of a good code. Pointing out problems is helpful. Showing examples how to do it correctly is better.


So for injection I would suggest some searching for semicolons and apostrofies.


I'm getting there ... At this time I have one more subject to add (into chapter 1) and then starting how to fix things and how to solve problems ...

I hope that it will be a start of a guide for programming style for FPC... but thats far at this time

BTW, there are three ways to make a better sanitation for things: 1. using parameters ("WHERE Name=?"... SQL.Param.Add(sName)) 2. removing chars that we do not think should exists (we usualy knows what we do need...). 3. Escape untrested chars.

--ik_5