On Thu, Jan 12, 2023 at 8:33 AM Jürgen Schönwälder < j.schoenwael...@jacobs-university.de> wrote:
> On Thu, Jan 12, 2023 at 07:08:05AM -0800, Andy Bierman wrote: > > > > Just because the escaped string is "safe" inside a NETCONF protocol > message > > does not mean it is safe to use in other tools. Data (especially list > keys) > > gets moved > > between software programs. Unrestricted strings increase the risk of data > > injection attacks. > > > > Sorry, broken code that does not handle inputs of unexpected length > can't be secured by standardizing arbitrary limits. The only option is > to fix the broken code. Code that fails to validate its inputs can't > be fixed by arbitrary limits and the pure hope that the broken code > will never see something causing it to crash. > > My statement is about the risk of using unconstrained values in strings, not the length. It is my preference to avoid characters in leaf keys that are known to cause problems with shells and other tools. It is a tradeoff. You can have the freedom to construct all-whitespace key leafs, but at the risk of implementations not handling it correctly. The designer(s) should pick the most appropriate type, based on priorities. /js > > Andy > -- > Jürgen Schönwälder Constructor University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <https://www.jacobs-university.de/> >
_______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
