Forums
New posts
Articles
Product Reviews
Policies
FAQ
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Menu
Log in
Register
Install the app
Install
Forums
General Discussions
Security Awareness
"Apple mobile devices at risk......"
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="cptkrf" data-source="post: 1569508" data-attributes="member: 134861"><p><strong>The failure from a programmers view.</strong></p><p></p><p>This soliloquy is for programmers, but feel free to read it anyway.</p><p></p><p>By now, most have seen the now famous Goto Fail of the current OSX/IOS security failure (that this thread is about). Most articles I have read all talk about how it is just a finger check where he/she hit insert twice. I think it is a reason to condemn the shortcuts built into C-type compilers.</p><p></p><p>C (and Perl and…) allow an IF statement construct to assume the curly brackets exist if the conditional statement has only one line, like so…</p><p></p><p>if (some condition)</p><p> Goto Fail;</p><p></p><p>Obviously, the code under the gun at the moment… </p><p></p><p>if (some condition)</p><p> Goto Fail;</p><p>Goto Fail;</p><p>Important code past this point will never be executed, like SSL checking and stuff that you might want when you surf.</p><p></p><p>The second Goto statement will alway be run, no matter what the result of the if condition and of course, that is the cause of the failure we are discussing.</p><p></p><p>Now, if the programmer had used the proper construct with curly brackets, and hopefully an editor that checks such, the OSX code would have looked like this…</p><p></p><p>if (some condition)</p><p> {</p><p> Goto Fail;</p><p> Goto Fail;</p><p> } </p><p></p><p>Not only would he/she have had a much greater chance of noticing the finger check paste, but we wouldn’t be talking about failures of OSX now, since the second and wrong Goto would NEVER be accessed. It can’t be. Had the test been true, the first Goto would be properly run, and if failed, the entire construct inside the brackets would have been ignored. Someday, a programmer might stumble across the code and call out, “Hey, look at this dummy goto statement. Wonder who put that in?” but it wouldn't be a major topic of conversation among users now.</p><p></p><p>End of 2 cents.</p></blockquote><p></p>
[QUOTE="cptkrf, post: 1569508, member: 134861"] [b]The failure from a programmers view.[/b] This soliloquy is for programmers, but feel free to read it anyway. By now, most have seen the now famous Goto Fail of the current OSX/IOS security failure (that this thread is about). Most articles I have read all talk about how it is just a finger check where he/she hit insert twice. I think it is a reason to condemn the shortcuts built into C-type compilers. C (and Perl and…) allow an IF statement construct to assume the curly brackets exist if the conditional statement has only one line, like so… if (some condition) Goto Fail; Obviously, the code under the gun at the moment… if (some condition) Goto Fail; Goto Fail; Important code past this point will never be executed, like SSL checking and stuff that you might want when you surf. The second Goto statement will alway be run, no matter what the result of the if condition and of course, that is the cause of the failure we are discussing. Now, if the programmer had used the proper construct with curly brackets, and hopefully an editor that checks such, the OSX code would have looked like this… if (some condition) { Goto Fail; Goto Fail; } Not only would he/she have had a much greater chance of noticing the finger check paste, but we wouldn’t be talking about failures of OSX now, since the second and wrong Goto would NEVER be accessed. It can’t be. Had the test been true, the first Goto would be properly run, and if failed, the entire construct inside the brackets would have been ignored. Someday, a programmer might stumble across the code and call out, “Hey, look at this dummy goto statement. Wonder who put that in?” but it wouldn't be a major topic of conversation among users now. End of 2 cents. [/QUOTE]
Verification
Post reply
Forums
General Discussions
Security Awareness
"Apple mobile devices at risk......"
Top