Pete Philips wrote:
> % pwd
> /tmp/squid-2.4.DEVEL4
> % find . -name "*.c" -exec egrep strcat\|strcpy {} \; | wc
> 161 416 5101
And surely some of these might be are bad, but as Alex said far from
all.
> As I said, I'm not an expert, so a ran ITS4 (the C code
> auditor from http://www.cigital.com/its4 ) on the src
> directory:
> tools.c:128:(Urgent) fprintf
> tools.c:131:(Urgent) fprintf
> tools.c:134:(Urgent) fprintf
> tools.c:137:(Urgent) fprintf
> tools.c:139:(Urgent) fprintf
...
> Non-constant format strings can often be attacked.
> Use a constant format string.
And if you look at these lines you will se that this is properly done
already. I'll give this scanner gets a very low rating since it
apparently flags all uses of functions which might be used(/abused)
insecurely, not only the ones which cannot be easily identified as
okay...
-- Henrik Nordstrom Squid hacker -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Wed Oct 25 2000 - 15:43:53 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:57 MST