Here's one for the #langsec crowd. CloudFlare used a parser generator named Ragel, they didn't parse manually.
Bug was in generated code.
If you're forced to work in an unsafe language, they provide a lot of extra protection, though.
-
-
At least if they provide those kinds of guarantees and a sane API for integration. Compiling safe lang to C would too.
-
Ragel is really neat tool but really would not recommend using it with the C backend in anything that's meant to be secure.
-
Also there are often better ways to do stuff... full blown parser generators or simply using regex (can be compile-time too).
-
Even regex can be a bad idea, since backtracking implementations don't provide the O(nm) guarantee that re2, etc. can do.
-
I was about to comment that many regex libs are not regular anymore. :)
-
re2 is actually regular and has a time complexity guarantee though, and so do the standard Go and Rust libs inspired by it.
-
https://codesearch.debian.net/ uses an indexed variant of the full re2 regex dialect which is pretty cool...
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.