Kas Ob.

Yes, right on the point. This is very confusing, as there is anonymous methods and there is anonymous procedure/function. These are different things, methods are aware of self and it is a must to have, while the latter don't have self.

I think i can pin point it ! Just remembered another situation when the project wasn't using specific 3rd party library library, namely AlphaSkins and acPng dcu kept popping in compiled while it wasn't referenced in that project, the project wasn't even using AlphaSkins but the standard VCL TImage, this happen on my IDE and my PC not the client (owner of the source), i solved it by simply disabling or removing that package form the IDE when working on that project.

I witnessed such behavior, in few times was not a pas unit but in dcu file referring to some ghost unit that i don't have reference in the code. And it was a removed referenced unit after refactoring, so searching for the name of needed unit will return no result, while the dcu still having the reference. Try to rename the folders with your DCU's, also when it dcu tracking then Process Monitor will show some extra information about this.

Rename that unit, then build.

As i said because it failed so many times to guarantee better and safer code practice, as we read so many times, so is it the best?, yeah it is,.. is it suggest to continue to be used in most critical software ? here comes the answer : NO , so is there better solution ? Yes and they calling to skip it to something better and more safer, not ... again not because it can't deliver, but there is a problem with the human factor and they gave up on fixing it. Don't take my opinion on the subject, and think about this : Can all the big companies wrong as they call to drop the language and switch to something else ? And please remember that : what ever you might suggest or even imagine, is already had been done and tried with C/C++ and still failed again and again. Rust doesn't have that much of unique as language except key features which limit the developer to design as he might imagine or wish, and involve the compiler even more, for Delphi (though) this might trigger many here, smart pointer will be wrong direction and will not solve anything, not just because Embarcadero might fail to deliver, or waste of time and resources, but because with all the libraries in C/C++ and still failing, so why repeat the tested and expect different result, please don't take this as debate for now about this subject, it is what one can deduce from what is happening now. Delphi will be many folds safer with removing or limiting the memory handling by code and give that to the compiler, same as Rust, if there is no shuffling then we don't need smart pointer or stupid ones, it is so simple, will this hinder our coding design, may be it will, but most likely it only need more code, though i doubt it will be longer than it is now, in all cases it will ensure better design and structure, a hardened and sound one. Imagine one directive at the top of the unit Delphi file that make all the variables and fields initialized and compiler and compile time managed, the compiler will stop you until fix them all, breaking zero backward code (legacy), and ensure the future is brighter and better, and the transition will be easier with compiler error and warning, and no smart pointers with stupid code that trying to retrieve few milliseconds in performance while different approach could be faster at the root.

Fair and with in your right, but let me ask you a simple question When you last time saw Delphi/Pascal code where a function had one letter name like f or g ?... Yesterday i watched this I believe i pasted the link as Stefan put it in the German forum The talk is great and very valuable, and if anyone is not familiar with lecture then know that this dude wrote C++ specification for breakfast, and here it comes write the guide lines for safety, yet when i watched it i saw that he himself with his examples violate a rule that always use expressive naming, and yes there was f and g, this comes from math, and the obsession of C++ developer with math to look cool, everyone looks to Bjarne and his talks and books, yet the beginners will scratch these examples in their brains forever with one letter function as name. Look at this "New Rules" titled in 2020 https://devblogs.microsoft.com/cppblog/new-safety-rules-in-c-core-check/ I think every C and C++ compiler out there does warn about default for a switch, yet that blog post deemed it a must to remind everyone with it, in Rust the code will not compile and C and C++ and in %90 no one will see it because there 458648567 another warning, some of these warnings makes sense but most of them don't, C and C++ are cursed with arrogance and stubbornness and its culture is beyond control, (my opinion) Rollo62 all what i am saying is even with all of this power of C++, it fails be the best language for long term security and safety, they (the most invested companies and teams and i trust they have better insight and view on this subject ) said C/C++ will not cut it and Rust it is. they decided to burn the tower and throw the power tools for better language, that (again) doesn't bring any thing new, on the contrary only remove the ability to use many C++ features, and evidently they see it as success story.

One more thing, if it was easy to define and put finger on memory safety issues in C++, then trust me, no one would have discussed memory safety at this scope and this range of popularity. Each projects and each company has its own strict guide lines for safety and integrity of code, yet it is so clear that they are still short and still fail. In movies they say the villain should be masterful without any mistakes every time, while the good detective need to be lucky once. With security this rule is reversed the good guy should not make a simple mistake in thousands of code, and the villain need to be lucky to found one mistake. Delphi/Pascal is easier to produce memory safe code and executables.

Its not that only. See, we the Delphi programmers used to do things in specific way, this out of the structure of the language of Pascal and by tradition or best practices, it goes like (as example ) automatically without thinking to put try..finally then call free, C++ there is none like this, but i am not saying C++ is incapable of, on contrary it can do more things because it is more powerful, but C++ developers doesn't have the discipline of Pascal's, this is exactly why all these big companies with their top tier developer keep doing or falling with the same traps again and again. When these big companies suggest to switch to different language like Rust not out of powerful of Rust or the lack of the tools in C++, on the contrary they reached to a conclusion that too much power is simply harmful, more limited tools are better fit and more secure. When you say Delphi is not memory safe, yes it is, just like any other language, yet the guide lines for Pascal and Delphi are way simpler and clearer than C++ to produce memory safe code (either bugs or vulnerability) , Rust is similar, its guide lines are harder to break as they incorporated within the language syntax itself. In Delphi if you leave the Overflow Check at on all the time, then you really had to be making big mistakes to breach memory safety for something like accessing index memory or handling managed types, these managed types specially arrays and strings are managed by the compiler in very nice way, in C++ there is hundreds of implementation of such arrays and strings, and they all will depends on some implementation, yet while they are completely safe at the same type coming form the same library, they are useless when it comes to interact with different library or the OS or whatever and here comes the problems of casting and unsafe converting.

Also SHA3, SHA512 are faster by at least %50 than SHA256.

If C++ compiler allocated all vars upfront and didn't use PUSH/POP inside any scope of code then they will be closer.

As Lajos said, if they are only cache and will not be needed after a restart or to be shared with different process, then put them in system temp folder and don't share writing, as for hashing 44Mb is nothing to worry about, but you can build a table to hash parts like every 64kb this way you will check that part when you read (need) it.

About this ! I am sorry but will try again with different method to explain why few users here is missing the right angel to look at this. So: 1) The memory safety in all these articles and publication are not about what you think is, though few of them miss name the problem or miss use the term in wrong places, this is the problem when there is no clear definition. 2) The most memory safe language is JavaScript, I honestly believe that, as stupid as it sound, BUT you must understand what are we describing here, see, it is near impossible to write JS code and take over a PC, can you ? and the question is not that, to be exact can you escalate memory failure within JS code to execute out of bound code aka hijack the execution ? NOPE, you can't ! JS is almost always runs in a special VM with interpreter, so you need to escalate a memory violation to escape that VM which in %99 run inside isolated process of browser then hijack the execution there, then escape the host browser process itself, then trigger malicious execution in the host that runs the browser, .... JS is memory safe for this subject, which is escalating memory triggered violation by malicious data (again data) to execute managed or unmanaged code (malicious or whatsoever aka DDoS) 3) I am mathematician by education, and i tend to an abstract(s) everywhere, this helps me, so lets look at this but from different perspective, one said he can compare potatoes and grapes, may be farmers and cooks will lose their shit, while i am fine with it, it is his build, abstract, math realm ... call it what ever you want, and let him call it as he wish, he managed to compare potatoes and grapes, and without understanding this scale we can't argue with rightness not we can call it fallacy, he might be comparing the percent of water or Zinc ... in both, or something not very usual like the shade of color in comparison HTML color names then sorts these names then put the grape or the potato in a scale of it, You know what we don't care about this abstract we care about different thing, there is a scale so we can use it, When all these companies shouting about memory safety, well they have the best developer and programmers in the world, i mean literally the best end there, and their code with be reviewed many times, and these companies like Apple, Google, Microsoft, Oracle, IBM ...they don't cheap out on bugs and security, i am sure they tried everything they could, and now they are throwing the towel, no matter how good and experienced their developers, they again and again do the same mistakes and same wrong doing, causing security bug and CVE, these cost money and reputation, remember these CVE are fixed and patched by the same experienced top shelf programmers, yet again they doomed to repeat the same. This also goes for open source software like Linux and Mozilla, literally the memory safety induced breach is there and no one can see it, and nor AI. Anyway, they are throwing the towel now and switch to prevent the developer from doing smart stuff, and limit their lanes, Rust is very strict and fit those needs, and that why all of these as C++ is way too much powerful and the developers tend grab it and start swing, the approach of investing in the developers them self, looks like failed or didn't yield the required result, so switching to different approach like changing the tooling. Again memory safety is not from powerful language as powerfulness is irrelevant here, but from consequences of using that language to handle data in the memory. 4) They all managed to have a scale to compare Rust and C/C++ in memory safety (again within the context explained above), then we can use the same scale for Delphi. 5) C++ is way more powerful than Rust, and there is nothing can't be done with C++ that Rust has, yet we are talking about different problem the ignoring the human factor, the one that made all these companies give up on their developers, and all these 3 letters agencies recommend, they all saw stuff and shit. back to this It is not !, but wait what are we talking about ? is memory-safe in your phrase is the same as my above or in the articles ? the same perspective ? It is not !, yet it is safer than C++, just because we are limited with stack usage, and our variables allocated before hand.

This subject is relatively fresh Yet searching for "PEM" or "JWK" result in nothing. DDG can find them though

I mentioned or to be exact dreamed about more evolved Pascal enhancement, mentioned it here at once as i recall, but really can't remember any comments or any discussions. So will write it here as it is relevant for memory safety. My suggestion is to introduce new modifier(s) to managed (and non managed) variables, this include classes/objects, the new main modifier is "Auto", example procedure Test(aFileName: string); var SList: TStringList; auto; // the compiler will ensure calling the default constructor and destructor begin //SList := TStringList.Create; // should stop the compiler with specific Error, you are not allowed to create an auto SList.LoadFromFile(aFileName); //SList.Free // should stop the compiler with specific Error, you are not allowed to destreuct/free an auto end There is also similar modifier like "init/create" and "free" these will only their part and the compiler will ensure you can't abuse the memory layout or use after free. This also can be applied to fields in TObject/Class, the compiler will put the default constructor and destructor in their right position and will stop compiling when the code is trying to call constructor and destructor. But one could say using "auto" for the fields in classes will make initializing slower, no it will not as sooner or later it will initialized or used (except other usage, will follow down), will this cause degradation in performance?, no, not really, after all there is a price for pay. Another modifier which i can argue will be very helpful, is "delayed" or "onuse".., this one is for places when you don't know if that class will be needed or not, so the compiler will not auto create it !, but will initialize it to 0 (nil), and will check against that nil on every first usage with in the current scope then call the constructor in-place, guaranteeing its readiness, while will enforce calling the destructor in every scope it mentioned (referenced) but again if it is nil then nothing to do. With "delayed" modifier there is a performance hit for sure but it is merely "if assigned(x)" and as i mentioned above at the first usage in the current scope, so when in doubt i will leave to the compiler but when i am sure i will need that delayed to be ready for lets say a loop, then i can call specific function on it or just touch it in any code so the following code will not have to have the check for creation, of course if such delayed var is used in a loop then the compiler will put the constructor before entering the loop (at the loop limit preparing code) Also to mention how clean the code will become not just eliminating user after free or use non initialized. as for compiler: Delphi compiler is already equipped and has the ability to do that so minimal adjusting is needed, it does the same with all managed types (strings, arrays..) for the suggested modifiers above it will be close to this Currently the compiler does the same with strings and arrays as seen here ( though this is my XE8 so not sure about the latest versions) for combining the suggested "delayed" with the above the compiler could check for referencing one to another and adjust or rearrange the creation and destruction order. Anyway, this i this another short by me to reach a discussion about this enhancement or call it evolution, also this is the right evolution toward more memory safety. There is also can be a suggestion for different modifier "secure" "mute" (or something), with this one the compiler will allow any assigning to referencing (or double referencing), in other words and as example, X is a class, no code such Y := X is allowed, you need X (the object in X) you have to use it where is it which is X, This will ensure specific design and will limit pointer miss using, you want to load a bunch of the like of that X in an array then either declare them there with in the array and use them there, or, custom and precise steps should be done as guarantee to the compiler that this is well thought of, otherwise we need to write better code and design the structure better, another example ; X is secure object and it is a field in the non secure Z, the compiler will not allow to use X out side the scope of this current scope and/or outside the Z, meaning, the compiler will not allow passing X as parameter to a procedure, but will allow Z, X and its value is not allowed to be used in any direct assigning ":=", still we have the ability to introduce assign as operator that will ship or duplicate X fields, but not X itself or its pointer, that pointer should not be reached or allowed to be accessed by the compiler, and when i say compiler i mean the new language constraints for these suggestions.

Thank you for sharing ! This is yet the best reading i came across about Memory Safety.

Hi, I see no one answered you here, so i am not going to answer because i don't have a complete answer, and will explain why this will not be like the way it happened with EC JWK, and shouldn't be. PEM (Privacy Enhancement for Internet Electronic Mail) originally from https://www.rfc-editor.org/rfc/rfc1421 which had been updated few times and the last RFC is https://www.rfc-editor.org/rfc/rfc7468 With PEM and EC is easier and simpler then RSA keys to encode because (while both parameters are INTEGERS) but RSA parameters are encoded as BITSTRING then encapsulate the integers then list them as an array, this combined type has bit length not bytes, on top of that the length for fields with ASN.1 has its own standard which is not in byte, word, and dword, but again it is on own bit level, so the code to generate the headers for any type that can arbitrary is complex, unlike the case you mentioned with EC as the length private key or public key for such prime is fixed in length because the parameters are integers from a field predefined either by the named curve or by another parameter in case the curve is not named (not the case with SO example), again here the field size will be BITSTRING, but this is irrelevant here, in EC x and y are the public key which is a simple point in a field, while d is the scalar in that named field representing the private key. Back to RSA and its parameters, in your public key there is e and n , e is the exponent which is in most cases have one of two values (3 or 65537), 3 is not recommended, there are other small primes like (5, 17..) but i never saw RSA key with one of them. n is a prime, and this is the problem with the size if case the integer is not using the highest bit. Both must have their length convoyed by PEM in bits not in bytes, is your case the length is 2048, but is there a guarantee the generator of your key ? i don't know. My suggestion is to not try something like the SO example, i use proprietary library and never tried open source for such key with manually loading the parameters, but it should be doable easily, ICS or mormot(2) should/might do it, but i can't answer how easily it can be, as you should load the e and n from the JWK and feed them to some class in these library or use the raw functions of OpenSSL, after that OpenSSL will give you a right formatted PEM file/data. Both libraries i believe have do support JWK, so there a chance your need is very simple of load and pass to a class or something then save. Sorry can't help more. ps : if you want to replicate what have being done with SO example then you need the ASN1 parser, but again i don't recommend it, it might fail. https://lapo.it/asn1js/ and here is it with the PEM EC key from SO https://lapo.it/asn1js/#MHcCAQEEIEcMr_fVtxp342GyNF_m-VJob4fPKEQikJD8YsAj1RoIoAoGCCqGSM49AwEHoUQDQgAEsDbcYT8HzBk1tUl849ZHrhpIn8ZV7HfD1DwYdsP1ip0Rah18pZDqgTSmnKLu1E7_rUGABCxnIOMMaP2QtmJS2w Switch the "Definitions:" in that page to "PKCS#8 encrypted private key" for consistency in naming.

@Stefan Glienke you put your finger on the biggest pain source in Delphi and CBuilder. I honestly believe that the cause of this negligence and procrastination on enhancing the compiler is sourced from few things but mainly the stupid and outdated DebugInfo, see, enhancing the compiler to spit better, shorter and efficient code means the simple and stupid assembly instructions, right now it is a must to have at least one instruction per line at least, but with optimization some lines will not have any instructions, also means there will be multiple lines executed in one or more ASM instructions, also means some lines will be reordered or even omitted and this is important for the debugger, now comes the Borland DebugInfo and its really need to be re-hulled or even dropped and switched to something else, changing the simple and current retarded assembly flow will require the DebugInfo to have such changes convoyed to the debugger, and this is the black pit, enhancing compiler will require enhancing the debugger, and i mean almost rebuilding form the ground along with new. That is technical debt for Embarcadero, and they are castrating LLVM for the sake of the debugger and debug info.

Nothing, literally there is nothing ! But the point still stand C and C++ can so the same as Rust, as there is nothing Rust do and C++ can't, with that in mind and there is already a measure or standard that distinguish between Rust and C++ then Delphi has a place on that scale and it is closer to Rust than C++. It is all about semantics and investing time, where the language and compiler force the developer or prevent him from shortcuts or mistakes.

Agree, and if it is governmental agency then definitely they should use the most relevant and modern technology, in this case this will minimize the risk of faulty, unsafe or unsecure code, by argument above about everyone else non governmental, in software business trying to justify the transition and the cost, the cost is 0 for the tool chain yet the needed experienced developer/programmer in Rust is higher. No it's not. Lets agree to not agree on that, for me, just don't duck with the stack and the stack will not duck with you, is a moto.

I have few thoughts on this subject, i mean Rust and its safety because there is so much hype around this accompanied with lot of confusion with terminology. so : 1) By safety, most of the need for Rust is for security breach and counter fighting malicious and buggy code, due the memory safety, so it is not only about memory here, but around abusing the unsafe code that can be manipulated by handled (or arrived) data from untrusted source. 2) This safety concern come from almost from one source boundary checks and type casting (abusing), along with use after free. 3) Delphi is way more safer than C and C++, but when it comes to Rust then it is relatively comparable, and to understand what i mean you need to understand how Rust as language defined and how the compiler handle the code, this is the most important point, and there is many sources over the net explaining this and yet most of them mix terminology or just badly written to target a specific readers, wither too advanced in Rust or don't know if it is subject is the rust on an old power supply. An example of the differences and power of Rust against language like Delphi, in very short and lame way, in Delphi we can declare an array of bytes or TBytes or whatever, something like a list may be, but we can access it by an index, right ? of course right. That index can be a variable or a constant like MyList[5]. , in Rust you can't do that, you can't declare an open array and you can't access it by a constant or even by any variable, again it is complicated and i am not the best writer Again, in Delphi we can declare limited length array like ARR: array [0..255] of byte, in rust that is possible and in fact it is almost the only way but it must have a type, so in Delphi we should declare the type of that array then use it in variable like ARR: TMy256ByteArr. in Rust you can't access this 256 byte array by an integer variable it does need a variable declared as limited one to this very specific array, but in Delphi we can do that too like this (My256Int = 0..255;) and if you to the index of our array with this variable then never can breach the boundaries hence we stayed memory safe as much as Rust, both handled by the compiler, the difference Delphi might warn and might not, RUST will not compile, it will twist your hand to write strongly declared types and stick to them. This is a glimpse of the difference, and yet it does show how Delphi is comparable in memory safety if and only if the Delphi developer was experienced (as Dalija said) enough to not make such mistakes or ready to write many lines to ensure safety, also Delphi compiler does not help much with warning, as example ..it will eat any integer for an index without a problem and only will offer runtime checks when the boundaries are violated. Also Delphi doesn't use the stack for instances and this is huge safety on its own. So if you want an pseudo answer for this It is safer then C and C++ and you need to pay more for the extra work to make it comparable to Rust. But for real most the switching to Rust is due the security not the memory safety per se. Hope that was clear.

She, and i am sorry missed that, but HKLM does exist for all users, only if they have access to it, here form my registry Everyone can read form the root of HKLM, other users registry are in HK_USERS and the needed registry is there in one of them, the only problem is : unless the user for IIS is listed in one of the allowed groups, no ISAPI can read these users. Also a fun fact : HKEY_CURRENT_USER is just a virtual copy (shadow) for one (and one only) of these listed in HKEY_USERS.

He can and that is the problem, he can and there is a result but it is for different user as IIS (the host of the ISAPI) run in its own user, so most likely the error is the path doesn't exist or something. IIS run starts and runs in separated own user privileges, hence the complete different registry local user, also it deliberately has limited file access to prevent ISAPI from doing nasty stuff, or when things got broken and hacked that ISAPI can't compromise the system in whole. Also there is IIS isolation mode https://learn.microsoft.com/en-us/iis/manage/configuring-security/ensure-security-isolation-for-web-sites which spawn different hosting process with another different security context. @Sebastiana the best way to solve this right, is to ditch the registry and switch to either file ( in a guaranteed access directory for this ISAPI), or run a separated windows service to serve the registry to the ISAPI using some IPC, if there is an legacy code that is running on the same machine then it is possible to make it serve these data to the ISAPI, away form that it will be just ugly workarounds and most likely will break later due some changes in IIS or as always some hardening tools that change policies for IIS and running ISAPI's.

@Sebastiana from https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexa If your service or application impersonates different users, do not use this function with HKEY_CURRENT_USER. Instead, call the RegOpenCurrentUser function. And your ISAPI is running under different user most likely the is the limited IIS_IUSRS, you need to use RegOpenCurrentUser https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopencurrentuser https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights

I do use FileZilla for years now, but can't remember the last time i downloaded it from its site ! And from the screenshot of VirusTotal, the classified it as AdWare, RiskWare... not really as malicious as it sound but yet there is a BundleWare (have the ability to download and run) that comes from different developer included in that setup. I recommend to use the portable version from https://portableapps.com/apps/internet/filezilla_portable But by using only the portable application we lose the ability to update in time, so i recommend to use portable platform itself, it does manage these applications nicely, https://portableapps.com/ The selling points of this: 1) they are in one place, and with one click the launcher can check and update them. 2) They are portable, meaning if you switch windows or copied that folder in its whole, it will work on any Windows with all the settings, history... as the user used it.

I did that many times in very similar needs, but instead of MessageBox which also i in the past used, now i do exception in a loop with Sleep(1) with check for global boolean variable, this will stop that thread specially if i am after the main thread. In some cases starting the debugging process is very slow if i don't know exactly when it will happen, like hunting these loch ness situations, but with that loop i don't have the message box, where the main thread had altered stack or touched, attach the process to the debugger then it will break in place, then change that global to exit the loop.