In article <mailman.7568.1393756930.18130.python-l...@python.org>, Stefan Behnel <stefan...@behnel.de> wrote:
> Haven't seen any mention of it on this list yet, but since it's such an > obvious flaw in quite a number of programming languages, here's a good > article on the recent security bug in iOS, which was due to accidentally > duplicated code not actually being as indented as it looked: > > https://www.imperialviolet.org/2014/02/22/applebug.html > > Stefan Hogwash. What this looks like is two gotos in a row. Anybody who reviewed this code would have thrown up a red flag when they saw two gotos in a row. If anything, the "incorrect" indentation makes it even more obvious. Any static code analyzer would have also caught this as an unreachable statement. Paraphrasing this into Python, you get: def bogus(): if SSLHashSHA1.update(hashCtx, serverRandom) != 0: raise fail if SSLHashSHA1.update(hashCtx, signedParams) != 0: raise fail raise fail if SSLHashSHA1.final(hashCtx, hashOut) != 0: raise fail which is syntactically valid (at least, I can import it), but clearly not what the author intended. So how did Python's indentation rules save us? On the other hand, the Python code was actually a little annoying to type in because emacs refused to auto-indent the second raise! So maybe the real rule is to only write code using emacs :-) -- https://mail.python.org/mailman/listinfo/python-list
