[PATCH] Fix two CIDs
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Nov 22 15:09:29 UTC 2017
On Wed, Nov 22, 2017 at 07:54:05AM -0700, David Mulder via samba-technical wrote:
>
> On 11/21/2017 01:04 PM, Volker Lendecke via samba-technical wrote:
> > Hi!
> >
> > This NEWLY pushed file so severely needs overhaul to match
> > README.Coding :-(
> >
> > For example there are several if-statements without {} around the
> > code. There's a reason why we don't want this: CVE 2014-1266, which
> > was an early one with a famous name. Is this file so completely immune
> > to any security-relevant exposure that this does not matter here? How
> > have we verified that this is irrelevant to security?
> I think security does matter here, since we're authenticating and
> pulling info from the sysvol.
> Not putting {} around if statements is a bad habit of mine.
> > I'm not talking about the cosmetic 80-column thingy, something which
> > this file does not follow either. I am talking about our way to
> > protect from one aspect of security-aware coding, and a very easily
> > implemented one.
> Actually, if you set your tabwidth to 4 chars, the file abides by the
> 80-column width (my bad).
> Obviously that was a mistake.
This is not about you, none of this is. It's about our insufficent
review process that does not catch them.
Sorry you got involved,
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list