一个简单的源代码安全检查软件.txt

当今

发信人: scz (小四), 信区: Security 
标  题: 一个简单的源代码安全检查软件 
发信站: 武汉白云黄鹤站 (Sat Jul  8 17:44:21 2000), 站内信件 
  
Alan DeKok 
  
 [ This should probably wait until Monday to be released ... ] 
  
  I've written a simple GPL'd security scanner for the classic 
problems of printf-style functions, where a variable contains 
formatting characters.  e.g.: 
  
  variable = "%s";                   /* or malicious user input */ 
  sprintf(buffer, variable);         /* BAD! */ 
  
  
  The preferred solution would be to call sprintf in the following 
manner: 
  
  sprintf(buffer, "%s", variable);   /* Probably OK */ 
  
  
  That's really all it does.  But it does allow for user supplied 
per-application configuration files for problematic functions. 
  
  
  The URL is:  http://www.striker.ottawa.on.ca/~aland/pscan/ 
  
  
  I've taken the liberty of scanning the latest wu-ftpd source, and 
posting the results on the web page.  I've checked the result, and 
didn't see any obviously exploitable holes, but the wu-ftpd people may 
want to double-check that themselves. 
  
  I took some care to minimize the number of false positives that the 
program produces, and to make the output and documentation clear. 
That should help to make it a useful program, which can be one more 
step in securing your programs. 
  
  Alan DeKok. 
  
-- 
  
  

            也许有一天，他再从海上蓬蓬的雨点中升起， 
            飞向西来，再形成一道江流，再冲倒两旁的石壁， 
            再来寻夹岸的桃花。然而，我不敢说来生，也不敢信来生......