On Mon, Jul 10, 2006 at 05:35:53PM -0700, Graydon Hoare wrote: > 3. That buffer is immediately appended to a heap std::string and data is > parsed from there using "safer" extractor functions. The extractor > functions all test the length of every extraction against the string > length, and assert fatally if they are asked to pass the end of the > string they're reading from.
Although an example of careful programming for different objectives, this sounds like a way to DoS/crash a server. The other points all sound good - at least necessary, if not sufficient :-) Another possible interpretation of the question is around data confidentiality, assuming all the other points are addressed. If I expose a monotone server containing a collection of branches, even with all the process containment tricks, I have to rely on monotone's internal security controls regarding selective access to db contents. So it's valid to question the robustness of these controls and any implementation or deployment caveats around them. I'm not really sure if this was part of the OP's concern. -- Dan.
pgpo6BObOVMzw.pgp
Description: PGP signature
_______________________________________________ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel