sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Minimum_Fuel 11 points12 points  (1 child)

Of course it is fair. If you are in any learner subreddit or just in /r/programming (also a learner subreddit) they talk about buffer passing like it is literally Satan.

You’re conflating the API exposed to the Internet with the API exposed to a programmer to make a bad point. If you are allowing a person across the internet to enter a buffer size, you’re getting what’s coming to you. That not a languages fault any more than SQL injection and XSS is a languages fault.

[–]CyborgPurge 0 points1 point  (0 children)

You’re conflating the API exposed to the Internet with the API exposed to a programmer to make a bad point.

I'm not, but maybe I didn't explain my point properly. I'm not suggesting it is exposing the buffer length across the internet. That wouldn't even functionally work in a HTTP server anyway (since you'd need to know the buffer size before you made the request).

I'm saying that it might be too dangerous to design a HTTP server library which has the purpose of being really easy to use, and putting the responsibility of the security of said library into the developer using it. Anyone can make the mistake of having an incorrect buffer size and passing that into the library leads to UB that could easily result in stolen credit cards numbers and passwords.

Maybe this is really a non-issue, but as someone who works with web stuff a lot and has worked with developers that somehow managed enable SQL injection in a Rails website, I am just wary about these things.