[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Theo chiming in on strlcpy
On Sat, Dec 21, 2013 at 07:10:46PM +0000, David Holland wrote:
> On Sat, Dec 21, 2013 at 06:51:07PM +0100, Marc Espie wrote:
> > Oh, you can borrow from us (for the "recognizing bad code"), we've
> > been patching the compiler and the libc to warn about strcpy and
> > friends for years. (the compiler, because otherwise, the built-ins
> > tend to vanish)
> Right, because all uses of strcpy are bad. Yeah.
No, only about 99% of them. There are many many developers out there,
and most of them don't know how to write reasonably secure code.
Yeah, you're probably the 1% that uses strcpy correctly the first time.
But think about it. Less gifted developers are going to use it incorrectly.
Or go write impossible-to-audit messes.
I prefer having my code go 0.5% less fast, but not to have to spend hours
auditing wacky wacky wacky string stuff.
Main Index |
Thread Index |