On Thu, Oct 14, 2004 at 03:32:02PM -0600, Commerco WebMaster wrote:
SPF List Members,
I have been thinking about an area of the SPF spec that could conceivably
cause those who implement SPF checking in their applications quite a bit of
trouble when reading some published SPF TXT records.
I imagine those who are developing their applications would also see this,
but the last thing I would want to do is to cause pain for SPF application
developers, and especially so for some larger ISPs who may be using such
software in an online testing mode, should it be remotely possible they
missed this in their implementation(s). Indeed, the problem may have
already been discussed but is apparently not addressed in the SPF
specification.
Please correct me if I'm wrong, but it sounds like you're dancing around
the issue of input validation, to ensure no unexpected data is processed
by the application (and to avoid such things as buffer overflows, etc.).
I would hope most coders are aware of such necessities. If not, there's
a great O'Reilly book for C programmers called, "Secure Programming
Cookbook for C and C++" which I'd highly recommend. Those interested in
the types of things that can happen when input is not validated should
read titles such as "The Shellcoder's Handbook", which I also highly
recommend.
--
Mark C. Langston GOSSiP Project Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org http://sufficiently-advanced.net
mark(_at_)seti(_dot_)org
Systems & Network Admin Distributed SETI Institute
http://bitshift.org E-mail Reputation http://www.seti.org