On Saturday, 21 December 2013 at 01:19:46 UTC, Luís Marques wrote:
> Yes, I implemented a timeout of just a few seconds (7s, I think). It's short so that it doesn't take too long to test with all the compiler versions. I actually tested that the template recursion is limited (500) but not CTFE (at least in my check of that it was still executing after about 15 minutes). That's also why there is already a test called "infinite CTFE", I wanted to make sure that a DOS could not be achieved with a single test case (but is still easy at the moment, since I don't have rate limiting ;))

Ah, right - CTFE is indeed not time limited, only has a recursion limit I think. A limit imposed directly in the compiler would do more harm than good, so it's perfectly understandable.

Assuming you're invoking DMD as a shell command - make sure no user input ends up in the shell command, like the name of the test etc.

On Sat, Dec 21, 2013 at 02:13:21AM +0100, Jakob Ovrum wrote: [...]
> Well, then it does become a lot harder to exploit, but DMD being a C++ project it might be prone to security flaws, especially in past versions (I'm not very familiar with the DMD codebase, so can't say for sure). Make sure you don't link the executables at least, so DMD is the only point of failure. I would use "-c -o-". It becomes security through obscurity - who would want to rummage through past versions of DMD's source code?
[...]

Has DMD always had -J for string imports? 'cos if not, I'd be fearful of somebody using string imports to view the contents of arbitrary files.

	string x = import("/etc/passwd");
	pragma(msg, x);
	// or trigger a compile error that generates a message
	// containing the contents of x.


T

-- 
Computers aren't intelligent; they only think they are.

On Saturday, 21 December 2013 at 01:33:53 UTC, H. S. Teoh wrote:
> Has DMD always had -J for string imports? 'cos if not, I'd be fearful of
> somebody using string imports to view the contents of arbitrary files.
>
> 	string x = import("/etc/passwd");
> 	pragma(msg, x);
> 	// or trigger a compile error that generates a message
> 	// containing the contents of x.

I'm not passing -J to DMD, so I can't see how that would work. Also, I'm not returning to the server any output from DMD, other than the return code (success / failure).

On Saturday, 21 December 2013 at 01:42:34 UTC, Luís Marques wrote:
> I'm not passing -J to DMD, so I can't see how that would work. Also, I'm not returning to the server any output from DMD, other than the return code (success / failure).

Ahh, I misunderstood you. I'll check it.

On Saturday, 21 December 2013 at 01:33:53 UTC, H. S. Teoh wrote:
> Has DMD always had -J for string imports? 'cos if not, I'd be fearful of
> somebody using string imports to view the contents of arbitrary files.

It fails to import the source code for the test file, so I guess it's safe?

    http://www.luismarques.eu/d/archeology/EAAF3C6C36A7C00F9A003EAD7C02789853389539
    http://www.luismarques.eu/d/archeology/A75AEA5BBAFC3DED20BCAAF12E0C5664F1F09E1B

(I had assumed string imports always had -J because that was the only option that made sense, and Walter is competent :-)

There is something weird.
How does UFCS compile since the earliest versions?
http://www.luismarques.eu/d/archeology/56CDCBDBE4688E996548A3F39E63843ADEFBF570

On Saturday, 21 December 2013 at 10:20:58 UTC, yazd wrote:
> There is something weird.
> How does UFCS compile since the earliest versions?
> http://www.luismarques.eu/d/archeology/56CDCBDBE4688E996548A3F39E63843ADEFBF570

It has always worked for slices. The recent change expanded it to work with any type.

""Luís Marques <luis@luismarques.eu>" <=?UTF-8?B?Ikx1w61z?= Marques <luis@luismarques.eu>> wrote in message news:lwzpootzzqxwbpcextiu@forum.dlang.org...
> Hi,
>
> My memory of the timeline of D features is quite fuzzy, so I created a service to test snippets of D source code with *all* of the DMD versions publicly available.
>
> Right now the service is *very* in the rough and the UI is butt ugly (it just outputs the raw results), but it seems to be working. Give it a try, to fill it with some data and start exposing the bugs:
>
>     http://www.luismarques.eu/d/archeology
>

This is pretty cool.  I've wanted something like this integrated with the test suite and bugzilla to automatically find duplicates fixed and track regressions.

On 2013-12-21 01:22, "Luís Marques" <luis@luismarques.eu>" wrote:
> Hi,
>
> My memory of the timeline of D features is quite fuzzy, so I created a
> service to test snippets of D source code with *all* of the DMD versions
> publicly available.
>
> Right now the service is *very* in the rough and the UI is butt ugly (it
> just outputs the raw results), but it seems to be working. Give it a
> try, to fill it with some data and start exposing the bugs:
>
>      http://www.luismarques.eu/d/archeology
>
> I haven't yet secured the client which does the tests, and I imagine
> that the old DMD versions are full of vulnerabilities, so please don't
> be a jerk :-) (I hope the client doesn't die, I left it running at work,
> as I don't have a Windows machine set up at home).
>
> Thanks for Adam "Destructinator" Ruppe, for fixing the bugs I
> encountered in the ddb library (PostgreSQL lib).
>
> Luís

This is really cool :)

-- 
/Jacob Carlborg

On Saturday, 21 December 2013 at 10:34:20 UTC, Jakob Ovrum wrote:
> On Saturday, 21 December 2013 at 10:20:58 UTC, yazd wrote:
>> There is something weird.
>> How does UFCS compile since the earliest versions?
>> http://www.luismarques.eu/d/archeology/56CDCBDBE4688E996548A3F39E63843ADEFBF570
>
> It has always worked for slices. The recent change expanded it to work with any type.

I didn't know that.
This looks useful on the long run especially with the bootstrapping of the compiler.