secure-coding

Which of sprintf/snprintf is more secure?

做~自己de王妃 提交于 2021-02-17 08:20:26
问题 I wish to know which of these two options is the more secure one to use: #define MAXLEN 255 char buff[MAXLEN + 1] sprintf(buff, "%.*s", MAXLEN, name) snprintf(buff, MAXLEN, "%s", name) My understanding is that both are same. Please suggest. 回答1: The two expressions you gave are not equivalent: sprintf takes no argument specifying the maximum number of bytes to write; it simply takes a destination buffer, a format string, and a bunch of arguments. Therefore, it may write more bytes than your

Which of sprintf/snprintf is more secure?

天大地大妈咪最大 提交于 2021-02-17 08:20:11
问题 I wish to know which of these two options is the more secure one to use: #define MAXLEN 255 char buff[MAXLEN + 1] sprintf(buff, "%.*s", MAXLEN, name) snprintf(buff, MAXLEN, "%s", name) My understanding is that both are same. Please suggest. 回答1: The two expressions you gave are not equivalent: sprintf takes no argument specifying the maximum number of bytes to write; it simply takes a destination buffer, a format string, and a bunch of arguments. Therefore, it may write more bytes than your

How to avoid command injection in node child_process exec

谁说我不能喝 提交于 2021-01-07 03:01:29
问题 I am opening IE browser in(via) my electron application using Node child_process . Code below: var cp = require('child_process'); var browser = cp.exec('start', 'iexplore', ['-private', args.url]); This is raising command injection warning when I run Fortify analysis on this code. Also, this args.url is fetched from api resource (stored in db) and is not related to any user input on this client application. Please help me escape this. I also tried spawn , but no success. 回答1: As a rule of
订阅 secure-coding