> -----Original Message----- > From: Pascal Gienger [mailto:pat_private] > Sent: Thursday, August 06, 1998 1:51 PM > > See also the posting about taking Web Pages as INPUT to a > program. The only > right way IMHO to do it. We do take it as input. If that input has (e.g.) long file names that exercises buffer overrun bugs, we fix it. If it has syntax errors, we report that. What has gotten completely lost is that all I said was: If that input is (essentially) a program that might contain infinite loops or recursion, we do not attempt to thoroughly examine the program to determine if they exist, because the Turing machine halting theorem says that that is _in general_ impossible to write a program that does that. Instead, the program is executed (if IE is configured to even let such programs run), and if the stack overflows, the screen will be redrawn, and the window on the page you were viewing will disappear. The system and other programs running at the same time will be unaffected. To continue browsing the web, you'll have to double click on the browser icon again. If anyone has seen behavior other than this, let me know. > A program being able to crash based solely on user input is > buggy. There are no chances to turn that around. It's a bug. I never said otherwise. What I did say is that it wasn't possible to fix it by examining the contents of the web page to decide not to execute it if it had an infinite recursion. I will also say that we'll fix buffer overrun bugs, privacy violation bugs, loss of data bugs, unauthorized access to data bugs, and server DoS bugs ahead of this kind of bug. Paul
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:38 PDT