Re: erlware-commons
2 visualizzazioni
Passa al primo messaggio da leggere
Eric Merritt
15 mag 2012, 10:07:2915/05/12
a Michael Gebetsroither, erlwa...@googlegroups.com
Michael,
I am ccing the erlware-dev list just to keep people appraised. See
responses inline.
On Mon, May 14, 2012 at 6:26 PM, Michael Gebetsroither <mic...@mgeb.org> wrote:
> Hi Eric,
>
> I just tried to rename ec_dictionary to ec_dict as promised but seems not that easy.
> The type is really named dictionary, renaming to dict is not possible as it's already in
> erl_types.erl from otp/stdlib.
I am pretty sure I ran into a similar thing originally.
>
> ec_dict vs ec_dictionary is too confusing if the implementation of ec_dictionary really contains
> implementation for type dict but ec_dict is the generic interface.
> Mabe something like ec_dict_impl.
>
> I doubt i can really just decide on such core points about "your" library and would like to ask before
> sending an inappropriate pull request which would disrupt quite a bit of code...
Well its not really my library, it should be a community library
though erlware has custodian ship of it. That said, it sounds like we
just need to solve the naming conflict. Unfortunately, nothing is
coming to me.
I am ok with the renaming suggestions you above in any case.
>
> btw... imho there is a security bug/problem in erlware-commons/ec_file.
> The function in question is mkdtemp which calls mkdir_path but which is not
> using O_EXCL flag to create the temp directory, thus making it prone to link high-jacking.
> Additionally it uses a completely monotone and predictable random-part which
> would make it quite an easy target.
> It also doesn't error out if the directory already exists, thus an attacker could highjack
> the mkdtemp call without the application noticing and possible get to sensitive data.
> Not setting permissions to 0700 for the temp dir is also something unexpected.
>
> Imho if the name of a function is the same as from a standard defined function with special
> security guarantees it's deadly to have the same name but none of the security guarantees.
I agree with you and it should be fixed. Would you file an issue
against erlware/erlware_commons with this detail?
> michael
I am ccing the erlware-dev list just to keep people appraised. See
responses inline.
On Mon, May 14, 2012 at 6:26 PM, Michael Gebetsroither <mic...@mgeb.org> wrote:
> Hi Eric,
>
> I just tried to rename ec_dictionary to ec_dict as promised but seems not that easy.
> The type is really named dictionary, renaming to dict is not possible as it's already in
> erl_types.erl from otp/stdlib.
I am pretty sure I ran into a similar thing originally.
>
> ec_dict vs ec_dictionary is too confusing if the implementation of ec_dictionary really contains
> implementation for type dict but ec_dict is the generic interface.
> Mabe something like ec_dict_impl.
>
> I doubt i can really just decide on such core points about "your" library and would like to ask before
> sending an inappropriate pull request which would disrupt quite a bit of code...
Well its not really my library, it should be a community library
though erlware has custodian ship of it. That said, it sounds like we
just need to solve the naming conflict. Unfortunately, nothing is
coming to me.
I am ok with the renaming suggestions you above in any case.
>
> btw... imho there is a security bug/problem in erlware-commons/ec_file.
> The function in question is mkdtemp which calls mkdir_path but which is not
> using O_EXCL flag to create the temp directory, thus making it prone to link high-jacking.
> Additionally it uses a completely monotone and predictable random-part which
> would make it quite an easy target.
> It also doesn't error out if the directory already exists, thus an attacker could highjack
> the mkdtemp call without the application noticing and possible get to sensitive data.
> Not setting permissions to 0700 for the temp dir is also something unexpected.
>
> Imho if the name of a function is the same as from a standard defined function with special
> security guarantees it's deadly to have the same name but none of the security guarantees.
I agree with you and it should be fixed. Would you file an issue
against erlware/erlware_commons with this detail?
> michael
Jordan Wilberding
15 mag 2012, 12:12:3415/05/12
a erlwa...@googlegroups.com
Since a dictionary is just a key-value store, I say we just generalize it and go with ec_kv to replace ec_dictionary. We can also have an ordered dictionary (orddict equiv) and call it ec_ordkv if we want.
Thanks!
JW
--
You received this message because you are subscribed to the Google Groups "erlware-dev" group.
To post to this group, send email to erlwa...@googlegroups.com.
To unsubscribe from this group, send email to erlware-dev...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/erlware-dev?hl=en.
Rispondi a tutti
Rispondi all'autore
Inoltra
0 nuovi messaggi