 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On 4/3/07, Eric C <eric at newmag.org> wrote: > It will kick 'em out before anything else gets done. > What do you think? The rule of thumb in securing user input is *NOT* to blacklist what you think is invalid, but to whitelist only that which is acceptable input. If it is a hash of [a-z0-9] only, then make a whitelist on this grammar. You see, the world of inputs is possibly infinite, and you don't want to have cases pertaining to all of them. Also, I wouldn't even give an attacker a helpful message like you do in your patch. I would give a more generic error like "Something went wrong..." and use that for every error you encounter! -- Kristian Hermansen -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
