cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] banning "unsafe" functions

From: Oscar Koeroo <okoeroo_at_nikhef.nl>
Date: Wed, 06 Mar 2013 18:51:55 +0100

On 06-03-13 13:34, Daniel Stenberg wrote:
> Hi,
>
> As a result of the last security vulnerability we had, I'm adding new
> code to checksrc that will alert us on uses of (v)sprintf, strcat and
> gets in the code base.
>
> This is meant to be an additional tool to help us detect unsafe code
> easier, since all those functions are too easily use without careful
> considerations of all possible side-effects.
>
> I also had to clean up some code so that this wouldn't immediately start
> complaining! =)
>
> Comments or improvements?

You've used aprintf(). I personally love aprintf(), but OSX 10.6 and a
lot of older systems are not equipped with such beautiful feature.
Probably not even POSIX.

To do the same I recommend

count = snprintf(NULL, 0, "myformat");
buf = malloc(count);
snprintf(buf, count, "myformat");

Or solve it with macro-foo to introduce the equivalence of aprintf()
into libcurl.

        Oscar

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2013-03-06