Date: Sun, 1 Feb 2026 09:00:45 +0200
On Sun, 1 Feb 2026 at 08:16, Jan Schultke via Std-Proposals
<std-proposals_at_[hidden]> wrote:
> From a security standpoint, since std::cstring_view cannot guarantee that it contains no embedded nulls (because it doesn't own and control its data), you will always need to rescan the contents anyway. It's always possible to maliciously craft a view that has embedded nulls, no matter whether the standard permits them on paper or not.
>
> I would find the arguments against embedded nulls convincing if they revolved around proper invariants and hard guarantees, but that's not the case. We either permit embedded nulls, or we permit embedded nulls and have the standard PDF say that actually they're not okay (but no one can enforce this realistically).
I would find these zero-terminated string view proposals much more
convincing if they revolved around proper invariants and hard
guarantees too.
I don't see how they can do that until the only thing such a string
view views is a const std::basic_string that has an allocator that
invalidates the string
view on deallocation.
<std-proposals_at_[hidden]> wrote:
> From a security standpoint, since std::cstring_view cannot guarantee that it contains no embedded nulls (because it doesn't own and control its data), you will always need to rescan the contents anyway. It's always possible to maliciously craft a view that has embedded nulls, no matter whether the standard permits them on paper or not.
>
> I would find the arguments against embedded nulls convincing if they revolved around proper invariants and hard guarantees, but that's not the case. We either permit embedded nulls, or we permit embedded nulls and have the standard PDF say that actually they're not okay (but no one can enforce this realistically).
I would find these zero-terminated string view proposals much more
convincing if they revolved around proper invariants and hard
guarantees too.
I don't see how they can do that until the only thing such a string
view views is a const std::basic_string that has an allocator that
invalidates the string
view on deallocation.
Received on 2026-02-01 07:01:01