diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/bugs.json | 8 | ||||
| -rw-r--r-- | docs/bugs_by_version.json | 8 | ||||
| -rw-r--r-- | docs/security-considerations.rst | 19 |
3 files changed, 31 insertions, 4 deletions
diff --git a/docs/bugs.json b/docs/bugs.json index c642793a..b464be18 100644 --- a/docs/bugs.json +++ b/docs/bugs.json @@ -1,5 +1,13 @@ [ { + "name": "OneOfTwoConstructorsSkipped", + "summary": "If a contract has both a new-style constructor (using the constructor keyword) and an old-style constructor (a function with the same name as the contract) at the same time, one of them will be ignored.", + "description": "If a contract has both a new-style constructor (using the constructor keyword) and an old-style constructor (a function with the same name as the contract) at the same time, one of them will be ignored. There will be a compiler warning about the old-style constructor, so contracts only using new-style constructors are fine.", + "introduced": "0.4.22", + "fixed": "0.4.23", + "severity": "very low" + }, + { "name": "ZeroFunctionSelector", "summary": "It is possible to craft the name of a function such that it is executed instead of the fallback function in very specific circumstances.", "description": "If a function has a selector consisting only of zeros, is payable and part of a contract that does not have a fallback function and at most five external functions in total, this function is called instead of the fallback function if Ether is sent to the contract without data.", diff --git a/docs/bugs_by_version.json b/docs/bugs_by_version.json index 32f305c8..d96bfde3 100644 --- a/docs/bugs_by_version.json +++ b/docs/bugs_by_version.json @@ -423,9 +423,15 @@ "released": "2018-03-07" }, "0.4.22": { - "bugs": [], + "bugs": [ + "OneOfTwoConstructorsSkipped" + ], "released": "2018-04-16" }, + "0.4.23": { + "bugs": [], + "released": "2018-04-19" + }, "0.4.3": { "bugs": [ "ZeroFunctionSelector", diff --git a/docs/security-considerations.rst b/docs/security-considerations.rst index 49fd7ea4..3e1c3a12 100644 --- a/docs/security-considerations.rst +++ b/docs/security-considerations.rst @@ -225,9 +225,6 @@ Minor Details ============= - In ``for (var i = 0; i < arrayName.length; i++) { ... }``, the type of ``i`` will be ``uint8``, because this is the smallest type that is required to hold the value ``0``. If the array has more than 255 elements, the loop will not terminate. -- The ``constant`` keyword for functions is currently not enforced by the compiler. - Furthermore, it is not enforced by the EVM, so a contract function that "claims" - to be constant might still cause changes to the state. - Types that do not occupy the full 32 bytes might contain "dirty higher order bits". This is especially important if you access ``msg.data`` - it poses a malleability risk: You can craft transactions that call a function ``f(uint8 x)`` with a raw byte argument @@ -239,6 +236,22 @@ Minor Details Recommendations *************** +Take Warnings Seriously +======================= + +If the compiler warns you about something, you should better change it. +Even if you do not think that this particular warning has security +implications, there might be another issue buried beneath it. +Any compiler warning we issue can be silenced by slight changes to the +code. + +Also try to enable the "0.5.0" safety features as early as possible +by adding ``pragma experimental "v0.5.0";``. Note that in this case, +the word ``experimental`` does not mean that the safety features are in any +way risky, it is just a way to enable some features that are +not yet part of the latest version of Solidity due to backwards +compatibility. + Restrict the Amount of Ether ============================ |