Three things I found fascinating about this bug. And by fascinating, I mean rather worrisome.
Somebody really called a variable “localExtraLenOrWhatever”. In a piece of code that parses untrusted user input.
There’s an entire category of these toctou bugs out there. Validate with one parser, actually parse with a different parser. This is at least the third instance I’m aware of, and every time the fix is to tweak the “validating” parser instead of using a single canonical parser. Doh!
Somebody found an integer type bug and “fixed” it by fiddling with the types instead of understanding the issue. At least they left a helpful comment that maybe later somebody else should figure out what’s really happening.
Three things I found fascinating about this bug. And by fascinating, I mean rather worrisome.
Somebody really called a variable “localExtraLenOrWhatever”. In a piece of code that parses untrusted user input.
There’s an entire category of these toctou bugs out there. Validate with one parser, actually parse with a different parser. This is at least the third instance I’m aware of, and every time the fix is to tweak the “validating” parser instead of using a single canonical parser. Doh!
Somebody found an integer type bug and “fixed” it by fiddling with the types instead of understanding the issue. At least they left a helpful comment that maybe later somebody else should figure out what’s really happening.