Dnia 2024-02-24, o godz. 19:44:44 Jeffrey Walton <noloa...@gmail.com> napisał(a):
> On Sat, Feb 24, 2024 at 7:37 PM Andy Smith <a...@strugglers.net> > wrote: > > > > [...] > > Turning back more to protocol design, we have spent decades walking > > back Postel's Law as we find more and more ways that being liberal > > in what our software accepts is untenable in the face of a hostile > > Internet. > > ++. Postel's Law is a disaster nowadays. It was fine back in the > 1980's, but it is dangerous in the toxic environments of today. > Postel's law works on user-interfaced data far better than protocols. > Here's what we teach our developers: Look for any reason you can to > reject the data. If you can't find a reason, then begrudgingly perform > the processing or transformation. On flip-side it's terrible idea to do that on user-entered data. Yes, security wise it's a great idea, but usability-wise it generates annoyances at every step. Like, if say user enters a data (say a token from mail 2FA) with extra spaces, the "accept only the perfectly good data" would prompt to tell them to sod off and try again", instead of just cutting the whitespaces out and checking the token. Similarly if the site requires bank account number most people don't type it, they copy it is not accepting the long string of numbers just because it had some whitespaces added for better presentation just annoys the users. And that pre-processing often (if it is a website) can be done client side so server code can keep its tight and secure processing without compromising. -- Mariusz Gronczewski (XANi) <xani...@gmail.com> GnuPG: 0xEA8ACE64 https://devrandom.eu
