|
|
Boost : |
From: Giovanni Piero Deretta (gpderetta_at_[hidden])
Date: 2006-05-26 08:40:06
On 5/26/06, Christopher Granade <cgranade_at_[hidden]> wrote:
> It seems to be a recurring problem that, in designing secure server-side
> software, it is difficult to distinguish between variables containing
> trusted and untrusted input. I would propose the addition of a library
> to Boost that attempts to alleviate these kinds of issues by providing a
> template for "trusted types," as well as methods that can be marked as
> requiring trusted input.
I had some toughts about this problem too, but my ideal solution would
be the other way around. Everything is trusted by default. External objects
are wrapped in
an untrusted<> wrapper. An object specific function would check the imput
and remove the wrapper.
It would be used like this:
class my_input_checker {...};
typedef untrusted<std::string, my_input_checker> untrusted_string;
untrusted_string external_input();
...
untrusted_string input = external_input();
try {
std::string checked_input = input,
} catch(const trust_exception&) {
...
}
On conversion, untrusted call the input checker. On error the conversion
fails and trows
a trust_exception.
This way, an untrasted object has a diferent type than a trusted one (no run
time flags). Most of the code deals only with ordinary (trusted) objects
(and need no change), while input functions returns untrusted objects.
Just my 0.02 euros.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk