| To: | "Clive D.W. Feather" <yyyyy@xxxxxxxxx> |
|---|---|
| Subject: | Re: Defect in XSH asctime() |
| From: | "H. Peter Anvin" <yyy@xxxxxxxxx> |
| Date: | Tue, 23 Dec 2003 01:48:15 -0800 |
| Cc: | yyyyyyyyyyyyyyy@xxxxxxx, yyyyyyyyyyyyyyy@xxxxxxxxxxxxx |
| References: | <200312120217.CAA12802@xxxxxx> <20031215110941.GA31124@finch-staff-1.thus.net> <3FDF65CF.7070707@xxxxxx> <20031223093038.GC32880@finch-staff-1.thus.net> |
Clive D.W. Feather wrote: The problem is that it's highly difficult to validate elsewhere since this data might be locale-dependent.H. Peter Anvin said:WG14 examined this issue quite a long time ago. We decided that the behaviour was simply undefined. There is no requirement that a particular string appear in the buffer, or even that the function call returns in a sensible state (or at all). It's *UNDEFINED*.I would classify that as a security hazard.So is much of the C Standard library when misused. The answer is to do validation elsewhere (though there are moves towards a new, secure, library). -hpa |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: Defect in XSH asctime(), Clive D.W. Feather |
|---|---|
| Next by Date: | Defect in XSH strfmon example, Petter Reinholdtsen |
| Previous by Thread: | Re: Defect in XSH asctime(), Clive D.W. Feather |
| Next by Thread: | Re: Defect in XSH asctime(), Robbin Kawabata |
| Indexes: | [Date] [Thread] [All Lists] |