From 7e6710e007d6c985e31aa523e5e6c9367b00ce4d Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 18 Apr 2013 11:35:01 +0000 Subject: [PATCH] CodingStyle changed Secuirty guidlines: use of the untrusted_prefix --- CodingStyle.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/CodingStyle.md b/CodingStyle.md index 727a1bef..50810778 100644 --- a/CodingStyle.md +++ b/CodingStyle.md @@ -122,8 +122,20 @@ Security coding guidelines - As a general rule: **untrusted input** is our \#1 enemy! - Any input that comes from untrusted, or less trusted, or just differently-trusted, entity should always be considered as malicious and should always be sanitized and verified. So, if your software runs in Dom0 and processes some input from any of the VMs, this input should be considered to be malicious. Even if your software runs in a VM, and processes input from some other VM, you should also assume that the input is malicious and verify it. +- Use `untrusted_` prefix for all variables that hold values read from untrusted party and which have not yet been verified to be decent, e.g.: -To Be Continued. + ``` {.wiki} + read_struct(untrusted_conf); + /* sanitize start */ + if (untrusted_conf.width > MAX_WINDOW_WIDTH) + untrusted_conf.width = MAX_WINDOW_WIDTH; + if (untrusted_conf.height > MAX_WINDOW_HEIGHT) + untrusted_conf.height = MAX_WINDOW_HEIGHT; + width = untrusted_conf.width; + height = untrusted_conf.height; + ``` + +- Use another variables, without the `untrusted_` prefix to hold the sanitized values, as seen above. Python-specific guidelines --------------------------