[Toybox] getline() length

Sun Nov 9 13:04:38 PST 2014

On 11/09/14 09:01, M Farkas-Dyck wrote:
> On 08/11/2014, Rob <robpilling at gmail.com> wrote:
>> I don't know if this is an issue. If a user can run "grep blah /dev/zero"
>> then they have shell access anyway, what's to stop them compiling a C
>> program that allocates memory in a loop?
> 
> ¬(C compiler). But that is no great hindrance to memory-allocating
> denial of service.

A CGI script shouldn't allow you to run arbitrary command lines (unless
you've really screwed up) but may operate on arbitrary input, and "grep
in a pipeline" isn't ordinarily considered crazy funky coding.

Similarly "don't use getline() when implementing httpd or wget to parse
http 1.1 reply headers" is actually non-obvious advice...

> Yeah, I would deem this Someone Else's Problem.

Whose?

Rob

 1415567078.0