Date: Sun, 1 Jan 2023 03:02:31 +0200
On Sun, 1 Jan 2023 at 02:55, Henry Miller via Std-Proposals
<std-proposals_at_[hidden]> wrote:
>
> Not sure how compelling this is, but if the user cannot create that type of string that eliminates a lot of potental security issues. If the user can create these then we need to ensure it is easy to prevent doing it by accident. Think SQL injection issues but into C++.
>
> I'm not convinced the above alone is enough to say no to creating them, but it is a least an issue some users of strings will have and in turn something to ensure we consider.
>
Well, sure. Categorically, it opens the door to a door that has been
problematic in other contexts.
"Refer to lexically reachable things that are resolved at run-time."
Make it flexible enough,
and it's a printf vulnerabilty. The question is.. I dunno, about
whether you allow
the strings to be leaked/run-time provided by attackers?
<std-proposals_at_[hidden]> wrote:
>
> Not sure how compelling this is, but if the user cannot create that type of string that eliminates a lot of potental security issues. If the user can create these then we need to ensure it is easy to prevent doing it by accident. Think SQL injection issues but into C++.
>
> I'm not convinced the above alone is enough to say no to creating them, but it is a least an issue some users of strings will have and in turn something to ensure we consider.
>
Well, sure. Categorically, it opens the door to a door that has been
problematic in other contexts.
"Refer to lexically reachable things that are resolved at run-time."
Make it flexible enough,
and it's a printf vulnerabilty. The question is.. I dunno, about
whether you allow
the strings to be leaked/run-time provided by attackers?
Received on 2023-01-01 01:02:43