[m-rev.] for review: avoid "poison null" security vulnerabilities

[Ralph Becket]

Simon Taylor, Monday, 12 March 2007:
> 
> Estimated hours taken: 15
> Branches: main
> 
> Make all functions which create strings from characters throw an exception
> or fail if the list of characters contains a null character.
> 
> This removes a potential source of security vulnerabilities where one
> part of the program performs checks against the whole of a string passed
> in by an attacker (processing the string as a list of characters or using 
> `unsafe_index' to look past the null character), but then passes the string
> to another part of the program or an operating system call that only sees
> up to the first null character.  Even if Mercury stored the length with
> the string, allowing the creation of strings containing nulls would be a
> bad idea because it would be too easy to pass a string to foreign code
> without checking (as in the first example link).

Two things.

(1) The right solution to this problem is to have separate types for
strings with different properties, such as null_free_string,
fully_escaped_string and so forth.

(2) We should store the length field with strings anyway.  The string
library operations are often O(n^2) rather than O(n) because we don't.

-- Ralph
--------------------------------------------------------------------------
mercury-reviews mailing list
Post messages to:       mercury-reviews at csse.unimelb.edu.au
Administrative Queries: owner-mercury-reviews at csse.unimelb.edu.au
Subscriptions:          mercury-reviews-request at csse.unimelb.edu.au
--------------------------------------------------------------------------