|
Boost : |
From: David Abrahams (dave_at_[hidden])
Date: 2005-04-24 10:24:06
"Peter Dimov" <pdimov_at_[hidden]> writes:
> David Abrahams wrote:
>> "Giovanni P. Deretta" <lordshoo_at_[hidden]> writes:
>>
>>> - It is extremely insecure. In a network library security must be
>>> paramount. If the transport type were encoded in the address, it
>>> would be much harder to validate externally received addresses. A
>>> similar argument can be made for the port numbers. It is better to
>>> keep these things separated. The library user can create its own
>>> indexed factory collection if it really needs to.
>>
>> That's a very convincing argument.
>
> No, it isn't. If you analyze the security of the two cases
> carefully you'll see that there isn't much of a difference, except
> that the "transport-encoded" type gives you one bit of extra
> information, the transport, which you can check against your
> expectations.
Sorry, not enough sleep. I knew I wasn't quite saying what I meant.
I meant that if there is truly a security problem that's very
compelling. I don't know how to analyze whether that's the case or
not.
-- Dave Abrahams Boost Consulting www.boost-consulting.com
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk