Request: Configuration option to treat ## (as in iter) as %i0 or disable ## entirely #688
Assignees
Comments
|
If you disable ## please make it as a config parameter with it enabled by default. People hate upgrading hardcode and watching their softcode break. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Original issue 686 created by brazilofmux on 2015-03-01T20:06:16.000Z:
Description of the feature:
Add a configuration option to treat the use of ## (as in iter) as %i0 or disable it entirely.
e.g. @admin safer_iter=yes
The vast majority of softcode security holes occur because of improper use of ##. Its evaluation is rarely if ever wanted. %i0 does not cause evaluation.
Considerations:
Nesting iter evaluation arguments would not work as expected when using ## and safer_iter. For example:
> th iter(a b c,iter(1 2 3,##))
a a a b b b c c c
> th iter(a b c,iter(1 2 3,%i0))
1 2 3 1 2 3 1 2 3
With some extra work, ## could be replaced with the appropriate level of %i instead. This would actually be preferable to simply substituting the results of %i0.
This could be more work than it's worth, however, and replacing ## with %i might lead to some hard-to-find softcode bugs when dealing with legacy softcode. It may be better (and easier) to disable evaluation of ## entirely more likely forcing the code to be reviewed.
Eventually, it would be nice for ## to be deprecated, and ultimately safer_iter defaulting to 'yes' instead of 'no'. Until then it would be nice to have a way to control on a game-by-game basis if most common softcode security risk is accessible.
The text was updated successfully, but these errors were encountered: