[662] in linux-security and linux-alert archive
[linux-security] good character, bad character
daemon@ATHENA.MIT.EDU (*Hobbit*)
Thu Apr 4 22:06:48 1996
Date: Thu, 4 Apr 1996 19:08:24 -0500
From: *Hobbit* <hobbit@avian.org>
To: best-of-security@suburbia.net, linux-security@tarsier.cv.nrao.edu
By no means did I mean to start a flamewar, and per charter, this is the
last that BOS shall hear from me on the subject. My message was in large
part a QUESTION, really, asking "why aren't people adapting a different
philosophy toward character filtering?" The example given was just that,
and certainly not meant to be a shining example of good coding style.
I never *took* C 101, remember, I just hack at this stuff.
I've always held the highest respect for Weitse's code as a solid and very
readable presentation, and would recommend it to anyone seeking good examples.
In fact I had that precise snippet of tcp_wrapper code, used to parse IDENTD
responses if I remember correctly, in mind when thinking about this whole
problem of user-supplied characters. Weitse's *philosophy* is the same one
I'm advocating, and as he points out his approach is much easier to verify at
a glance than my gnarly table. [Some more comments in the table might help,
but I've got *my* ascii chart handy.] And I will certainly agree that a one-off
run of something under inetd is rarely going to be a performance bottleneck.
However, when one is trying to speed-tweak something like a high-volume
web server that will be reading, checking, and massaging many lines of user
input per second, the gnarly table approach might have its advantages.
Whatever. The people writing web servers clearly aren't reading this list
anyways, so what's the difference.
_H*
