CodeSOD: The Threat of Existence |
Imagine, if you will, that you see a method called FileExists. It takes a string input called strPath, and returns a bool. Without looking at the implementation, I think you'd have a very good sense of what it's supposed to do. Why, you wouldn't even expect much documentation, because the name and parameters are really clear about what the method actually does.
Unless this method was in the C# codebase "AK" inherited. In that case, the behavior of FileExists might surprise you:
public bool FileExists(string strPath)
{
try
{
File.WriteAllText(strPath, "blah");
return true;
}
catch (Exception ex)
{/* do nothing */}
return false;
}
This method invokes File.WriteAllText, which does more or less what you'd expect, unlike this method.
So what this method actually does is overwrite the contents of whatever is in strPath with "blah". If it can do that write, then it returns true. If it can't do that write, perhaps because the directory doesn't exist, or the user doesn't have permission, then it returns false.
Normally, we think of "FileExists" as a check, but in this case, it's more of a threat. By the time this method executes, that file will definitely exist, if it's at all possible to create that file. And if the contents of that file were important before you called this method, well they certainly aren't now.
[Advertisement]
ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.
| Комментировать | « Пред. запись — К дневнику — След. запись » | Страницы: [1] [Новые] |
