CodingStyle changed

Secuirty guidlines: use of the untrusted_prefix
2025-01-13 16:29:59 -05:00 · 2013-04-18 11:35:01 +00:00 · 2013-04-18 11:35:01 +00:00 · 7e6710e007
commit 7e6710e007
parent 7f8e11106d
1 changed files with 13 additions and 1 deletions
--- a/CodingStyle.md
+++ b/CodingStyle.md
@ -122,8 +122,20 @@ Security coding guidelines

 -   As a general rule: **untrusted input** is our \#1 enemy!
 -   Any input that comes from untrusted, or less trusted, or just differently-trusted, entity should always be considered as malicious and should always be sanitized and verified. So, if your software runs in Dom0 and processes some input from any of the VMs, this input should be considered to be malicious. Even if your software runs in a VM, and processes input from some other VM, you should also assume that the input is malicious and verify it.
+-   Use `untrusted_` prefix for all variables that hold values read from untrusted party and which have not yet been verified to be decent, e.g.:

-To Be Continued.
+    ``` {.wiki}
+       read_struct(untrusted_conf);
+       /* sanitize start */
+       if (untrusted_conf.width > MAX_WINDOW_WIDTH)
+           untrusted_conf.width = MAX_WINDOW_WIDTH;
+       if (untrusted_conf.height > MAX_WINDOW_HEIGHT)
+           untrusted_conf.height = MAX_WINDOW_HEIGHT;
+       width = untrusted_conf.width;
+       height = untrusted_conf.height;
+    ```
+
+-   Use another variables, without the `untrusted_` prefix to hold the sanitized values, as seen above.

 Python-specific guidelines
 --------------------------