[e-lang] An attack on a mint
Sandro Magi
naasking at higherlogics.com
Wed Mar 5 10:25:50 EST 2008
Sandro Magi wrote:
> How about an explicit "seq" object/function, which simply chains
> functions and/or operations together in sequence. That way sequencing is
> enforced in the code by the language's semantics, and anyone reading the
> code will understand that the sequencing was made explicit for a reason.
> It's a more explicit marker than comments.
Perhaps some more detail is in order:
Tyler Close wrote:
> During the Waterken security review, I think we also determined this
> money destroying bug could be fixed by simply switching the order of
> the two lines:
>
> balance += r;
> src.balance = 0;
function seq(first, second) {
first();
second();
}
...
seq(function() {
src.balance = 0;
}, function() {
balance += r;
});
...
Javascript is a little heavyweight in its syntax here, but the explicit
'seq' might alert the read that this explicit sequencing is important.
Alternate syntax structure might make this more apparent, ie.:
seq(
function() {src.balance = 0;},
function() {balance += r;}
);
Sandro
More information about the e-lang
mailing list