[Mono-dev] Mono and medium trust

Robert Jordan robertj at gmx.net
Sat Sep 3 09:21:38 EDT 2011

On 03.09.2011 13:10, quandary wrote:
>>   You could, but this is not how security evolves ;)
> xD I know. But for now, a quick and dirty hack is better than half a
> year of work.
> Looking at:
> mono/metadata/loader.c:mono_lookup_pinvoke_call
> I just wanted to say, that looking at the source file, this line hurt my
> eye:
> if (strstr (new_scope, ".dll") == (new_scope + strlen (new_scope) - 4)) {
> If you want to check whether new_scope ends on ".dll", I wouldn't do a
> strstr.

This is correct, but the average length of "new_scope" is small
because it doesn't contain a full path most of the time, so we're
basically talking about optimizing the lookup of ".dll" in
strings like "kernel32.dll" or "libc.so.6" in a function
that does a lot of other costly stuff... Mono hackers usually
take this into account during coding.

I'm not saying that functions like str_{starts|ends}_with()
won't be useful, but it's usually not rewarding enough to
touch already tested (and profiled) code.

If you find such issues in the future, please file bugs so
they don't get lost because the probability that some hacker
will track our conversation and replace strstr is near zero.


More information about the Mono-devel-list mailing list