No, I don't consider information "leaks" within a process to be a security problem (unless you use the pike security system).
And write("foo") would not be affected, only write("%O", "foo");
/ Niels Möller ()
Previous text:
2003-01-30 15:44: Subject: Re: OpenSSL wrapper vs Pike's SSL (Was: Bz2)
When I said flag, I meant a _shared_ flag. If I set the flag on "foo", all strings "foo" anywhere in the program would be treated as secret by %O. One needs a function to set the flag, but normal programs should never try to clear it.
If a function is supposed to print "foo" (a string which is not secret) and suddenly starts printing "CENSORED", then this leaks the information that another part of the program has a secret string which also happens to be "foo". If there is only one part of the program that sets the flag, and it sets it on keys, they you will have exposed the fact that the key is "foo". That's pretty bad, woudln't you say?
/ Marcus Comstedt (ACROSS) (Hail Ilpalazzo!)