Designing socket messaging format
Stephen
shriek at gmx.co.uk
Mon Nov 12 20:35:55 EST 2001
> Why not save yourself a little coding and just use netstrings?
>
> more info: http://itamarst.org/multiplex
> advogato copy: http://www.advogato.org/article/212.html
> python code: http://itamarst.org/downloads/multiplex-0.2.tgz
> description: http://cr.yp.to/proto/netstrings.txt
Just read Dan Bernstein's description. Interesting note about
security considerations using CRLF, which follows on from an
earlier post in this thread.
4. Security considerations
The famous Finger security hole may be blamed on Finger's use of the
CRLF encoding. In that encoding, each string is simply terminated by
CRLF. This encoding has several problems. Most importantly, it does
not declare the string size in advance. This means that a correct
CRLF parser must be prepared to ask for more and more memory as it is
reading the string. In the case of Finger, a lazy implementor found
this to be too much trouble; instead he simply declared a fixed-size
buffer and used C's gets() function. The rest is history.
In contrast, as the above sample code shows, it is very easy to
handle netstrings without risking buffer overflow. Thus widespread
use of netstrings may improve network security.
Stephen
More information about the Python-list
mailing list