Jakob Bohm writes:
Please note that on almost every platform I have encountered, sprintf-style calls are significantly slower and harder to security check than explicit string operations. The sprintf-family is convenient for its ability to do flexible number formatting more easily and flexibly than any other mechanism (including C++ streams), but it is almost never a speedup when the input is all strings and no padding is requested.
CPU is not a factor here. The IMAP server will be blocking on disk and network I/O. A few extra CPU cycles won't be noticable.
This is just like any other kind of a change. There has to be a clear benefit for making the change, a clear answer to the question "why"? If the existing code is working correctly, then this is the end of the road. There's no further benefit to be gained in that direction.
There's some argument to be made for aesthetics, but that alone isn't enough.
While incorrect use of the unbounded strcpy/strcat functions can easily lead to significant security mistake, blindly replacing them by an interpreted call to asprintf(), C++ string classes or other such "textbook" methods is just slowing things down to please rumor-induced fears.
I suspect somewhere around here there's an overpriced commercial "security analysis tool" hanging around, spewing forth senseless gibberish in order to justify its price and existence.
pgpziZBtcjfCC.pgp
Description: PGP signature
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
