[Xotcl] Very severe limitation in XOTcl

Kristoffer Lawson setok at scred.com
Wed Aug 4 11:07:34 CEST 2010


On 4 Aug 2010, at 10:08, mail at xdobry.de wrote:

> Hi!
>  
> I found a work around according to xotcl documentation.
>  
> Foo new [list -init $a]

Thanks yes, as tired as I was last night, I didn't come up with that. The thing is, that basically has to be done all the time if you are passing in variables. Obviously any time you pass user-generated string, but also in other cases as well when you can't be 100% sure of the content (and often you can't). I probably have hundreds of places where this can cause a bug, at best, and a security hole, at worst.

Using [list -init <vars>] all the time does not, to me, sound like elegant programming. I use the dash feature much more infrequently than just plain instantiation. Besides, you are at risk even with the dash feature, if you pass it an argument...

I'm not exactly sure even how I would solve this for XOTcl. Any special argument syntax is always going to be at risk. As mentioned, even arguments to the dash values are risky. In that respect I would consider dropping the whole feature. It's that risky.

-- 
Kristoffer Lawson, Co-Founder, Scred // http://www.scred.com/



More information about the Xotcl mailing list