On 5/26/06, Christopher Granade <cgranade@gmail.com> wrote:
It seems to be a recurring problem that, in designing secure server-side software, it is difficult to distinguish between variables containing trusted and untrusted input. I would propose the addition of a library to Boost that attempts to alleviate these kinds of issues by providing a template for "trusted types," as well as methods that can be marked as requiring trusted input.
I had some toughts about this problem too, but my ideal solution would be the other way around. Everything is trusted by default. External objects are wrapped in an untrusted<> wrapper. An object specific function would check the imput and remove the wrapper. It would be used like this: class my_input_checker {...}; typedef untrusted<std::string, my_input_checker> untrusted_string; untrusted_string external_input(); ... untrusted_string input = external_input(); try { std::string checked_input = input, } catch(const trust_exception&) { ... } On conversion, untrusted call the input checker. On error the conversion fails and trows a trust_exception. This way, an untrasted object has a diferent type than a trusted one (no run time flags). Most of the code deals only with ordinary (trusted) objects (and need no change), while input functions returns untrusted objects. Just my 0.02 euros.