Closed Bug 148256 Opened 22 years ago Closed 22 years ago

flawfinder warnings in XML Extras

Categories

(Core :: XML, defect)

defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: hjtoi-bugzilla, Assigned: rayw)

References

()

Details

I run flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1 branch.

flawfinder found 1 warning in XMLExtras code (1519).

If it is false positive, comment here why it is not an issue. If it is a real
issue, make patch for it here and let's get it checked in.

In addition the checking the branch, also check the trunk.

The warning:

1519) extensions/xmlextras/soap/src/nsHTTPSOAPTransport.cpp:79 [4] (format)
printf: if format strings can be influenced by an attacker, they can be
exploited. Use a constant for the format specification.
Blocks: 148251
This is not a real security problem.

In this case, printf is being called by a macro invocation, and one of the macro
arguments is being used in the format string.  Since the macro argument is
immediately followed by a string literal with no operation or function specified
in between, the compiler does string concatenation, and any attempt to pass
anything but a literal in as the macro argument will fail (except perhaps
extremely complicated cases where the user is trying to fool the macro).
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Verified. This call is robust and unlikely to be misused in the future.
Status: RESOLVED → VERIFIED
Group: security?
1 more flawfind warning for soap (4363).  Reopening

4363) extensions/xmlextras/soap/src/nsHTTPSOAPTransport.cpp:79 [4] (format)
printf: if format strings can be influenced by an attacker, they can be
exploited. Use a constant for the format specification.

Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Duplicate warnings, closing again.
Status: REOPENED → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → INVALID
QA Contact: petersen → rakeshmishra
You need to log in before you can comment on or make changes to this bug.