發信人: scz (小四), 信區: Security 

標  題: 一個簡單的源代碼安全檢查軟件 

發信站: 武漢白云黃鶴站 (Sat Jul  8 17:44:21 2000), 站內信件 

  

Alan DeKok 

  

 [ This should probably wait until Monday to be released ... ] 

  

  I've written a simple GPL'd security scanner for the classic 

problems of printf-style functions, where a variable contains 

formatting characters.  e.g.: 

  

  variable = "%s";                   /* or malicious user input */ 

  sprintf(buffer, variable);         /* BAD! */ 

  

  

  The preferred solution would be to call sprintf in the following 

manner: 

  

  sprintf(buffer, "%s", variable);   /* Probably OK */ 

  

  

  That's really all it does.  But it does allow for user supplied 

per-application configuration files for problematic functions. 

  

  

  The URL is:  http://www.striker.ottawa.on.ca/~aland/pscan/ 

  

  

  I've taken the liberty of scanning the latest wu-ftpd source, and 

posting the results on the web page.  I've checked the result, and 

didn't see any obviously exploitable holes, but the wu-ftpd people may 

want to double-check that themselves. 

  

  I took some care to minimize the number of false positives that the 

program produces, and to make the output and documentation clear. 

That should help to make it a useful program, which can be one more 

step in securing your programs. 

  

  Alan DeKok. 

  

-- 

  

  



            也許有一天，他再從海上蓬蓬的雨點中升起， 

            飛向西來，再形成一道江流，再沖倒兩旁的石壁， 

            再來尋夾岸的桃花。然而，我不敢說來生，也不敢信來生......