spf-discuss
[Top] [All Lists]

Re: Managing exploits

2004-10-14 16:08:40
On Thu, Oct 14, 2004 at 03:32:02PM -0600, Commerco WebMaster wrote:
SPF List Members,

I have been thinking about an area of the SPF spec that could conceivably 
cause those who implement SPF checking in their applications quite a bit of 
trouble when reading some published SPF TXT records.

I imagine those who are developing their applications would also see this, 
but the last thing I would want to do is to cause pain for SPF application 
developers, and especially so for some larger ISPs who may be using such 
software in an online testing mode, should it be remotely possible they 
missed this in their implementation(s).  Indeed, the problem may have 
already been discussed but is apparently not addressed in the SPF 
specification.


Please correct me if I'm wrong, but it sounds like you're dancing around
the issue of input validation, to ensure no unexpected data is processed
by the application (and to avoid such things as buffer overflows, etc.).

I would hope most coders are aware of such necessities.  If not, there's
a great O'Reilly book for C programmers called, "Secure Programming
Cookbook for C and C++" which I'd highly recommend.  Those interested in
the types of things that can happen when input is not validated should
read titles such as "The Shellcoder's Handbook", which I also highly
recommend.

-- 
Mark C. Langston            GOSSiP Project          Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org   http://sufficiently-advanced.net    
mark(_at_)seti(_dot_)org
Systems & Network Admin      Distributed               SETI Institute
http://bitshift.org       E-mail Reputation       http://www.seti.org


<Prev in Thread] Current Thread [Next in Thread>