On Tue, Jun 22, 2004 at 08:38:08PM +0200, Hadmut Danisch wrote:
I do trust a parser generated by a parser generator or a common XML
library much more than any hand-coded quick and dirty SPF parser.
There is not automated parsing tool for SPF, and a syntax like SPF
invites for a quick and dirty implementation. Eats valid SPF records.
But that's how buffer overruns are generated.
how about lex?
What if I wish to add, e.g. cryptographic keys or jpeg images to the
records? What if
an entry becomes 180,000 bytes long? Are you sure that all SPF
implementations
will eat this without problem? No buffer limits?
I don't see how XML would fare any better. The problem is that the
record is 180K in size. XML parsers need to use buffers too. The
machines XML runs on also have limited amounts of memory. And we
are not going to be putting 180K into a resource record. Crypto
keys have already been covered, jpegs can be handled in much the
same way.
Is SPF really "extensible"? Or is it just not well defined?
Is that what you call "Extensibility" more than just a gap in the
definition?
Yes, SPF really is extensible. If we need to start dealing with
180K XML files later we can just add:
ihopeyourmailserverhasLOTSofmemory=http://host.example.net/bloat.xml
After all, when faced with a 180K download the HTTP overhead isn't
a problem. Hopefully it won't come to that.