[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: RFC: Performing code security audits before releases...
From: Alex Zepeda <jazepeda () pacbell ! net>
Date: 2002-02-25 19:43:31
[Download RAW message or body]
On Mon, Feb 25, 2002 at 02:10:03AM -0500, Dawit Alemayehu wrote:
> For starters I generated and attached below a report for the entire
> kdelibs directory using RATS (http://www.securesw.com/rats/). Perhaps
> using the lessons we learn from using tools like this we can write a
> HOWTO article or create methods to avoid the pitfalls.
A quick check (dcopclient.cpp only) revealed lots of false positives, and
two (ln 1133, 1164). Certainly, QCString.append or the << operator would
be a bit cleaner here.
What would be really valuable would be to have the tool realize when a
dynamic string class is being used (with say getenv), or when sprintf is
in an unsafe manner (say with a string and no "precision"). This would
eliminate lots of these warnings (for sure sprintf with a fixed size
format shouldn't really trigger any warnings -- at least medium or lower).
- alex
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic