Default arguments in function callbacks not taken into account when instantiating templates has huge security implications
Wyatt via Digitalmars-d
digitalmars-d at puremagic.com
Tue Apr 29 09:41:36 PDT 2014
On Tuesday, 29 April 2014 at 10:38:24 UTC, Andrej Mitrovic via
Digitalmars-d wrote:
>
> void main()
> {
> auto safeCallback = (string user, string pass = "hunter2")
> {
> writefln("The password is: '%s'", pass);
> };
>
I'm sorry, but can you explain how this lets an attacker learn
anything useful? I think it's a funny trick, and I agree on
principle that it's probably an error that should be fixed, but
I'm having trouble coming up with reasons why being able to
discover the default argument (which I would assume is sentinel
junk) has gravity. I would generally consider literal
assignments in code to be trivially compromised anyway?
-Wyatt
More information about the Digitalmars-d
mailing list