Correct comment on String::copy_into_slice #1055
Conversation
graydon
force-pushed
the
correct-string-comment
branch
from
7643b62
to
8f8f24e
Compare
I think it could be argued that For example, this code will work without error: let env = Env::default();
let expected = "my string";
let my_string = String::from_slice(&env, expected);
let mut short_array: [u8; 2] = [0; 2];
my_string.copy_into_slice(&mut short_array);
assert_eq!(short_array, "my".as_bytes());(Code is taken from an example posted by @vinamogit on the stellar-dev Discord.) |
|
@leighmcculloch I can see making that change on the specific API in the SDK you're describing; in the host interface it's actually more general already (it takes a start-position within the string, i.e. it allows not just doing a copy that's short from either the start or the end of the string). Would you want the env interface to be tightened also, requiring the user to do an explicit string-slice host function call before doing a copy-out call? |
|
I think it's reasonable to cover the footgun in the SDK without an env change. |
graydon
force-pushed
the
correct-string-comment
branch
from
8f8f24e
to
45c72fb
Compare
|
@leighmcculloch ok I've updated it to panic on length mismatch, lmk if this is more to your liking. |
graydon
force-pushed
the
correct-string-comment
branch
from
613d678
to
f27e88f
Compare
The copy routine here actually traps if you pass an output slice larger than the string. I think this is correct, since the previously-documented not-actually-performed behaviour (taking the minimum size of the output or the string) is a potential footgun / attack vector if someone tricks a contract into "copying N bytes" out of a string much smaller than N -- they get to basically force the output to be whatever the buffer's content was. The newly documented (already existing) behaviour does less magic / is less surprising / fails under more abnormal circumstances.