From: Giovanni Piero Deretta (gpderetta_at_[hidden])
Date: 2006-05-26 08:40:06
On 5/26/06, Christopher Granade <cgranade_at_[hidden]> wrote:
> It seems to be a recurring problem that, in designing secure server-side
> software, it is difficult to distinguish between variables containing
> trusted and untrusted input. I would propose the addition of a library
> to Boost that attempts to alleviate these kinds of issues by providing a
> template for "trusted types," as well as methods that can be marked as
> requiring trusted input.
I had some toughts about this problem too, but my ideal solution would
be the other way around. Everything is trusted by default. External objects
are wrapped in
an untrusted<> wrapper. An object specific function would check the imput
and remove the wrapper.
It would be used like this:
class my_input_checker {...};
typedef untrusted<std::string, my_input_checker> untrusted_string;
untrusted_string external_input();
...
untrusted_string input = external_input();
try {
std::string checked_input = input,
} catch(const trust_exception&) {
...
}
On conversion, untrusted call the input checker. On error the conversion
fails and trows
a trust_exception.
This way, an untrasted object has a diferent type than a trusted one (no run
time flags). Most of the code deals only with ordinary (trusted) objects
(and need no change), while input functions returns untrusted objects.
Just my 0.02 euros.