Closed
Bug 148278
Opened 22 years ago
Closed 22 years ago
flawfinder warnings in htmlparser
Categories
(Core :: DOM: HTML Parser, defect)
Core
DOM: HTML Parser
Tracking
()
RESOLVED
INVALID
People
(Reporter: hjtoi-bugzilla, Assigned: harishd)
References
()
Details
Attachments
(1 file)
18.92 KB,
text/html
|
Details |
I run flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1 branch. flawfinder found 64 warnings in htmlparser code (3496-3559). Go through that list and for each warning: * If it is false positive, comment here why it is not an issue * If it is a real issue, make patch for it here and let's get them checked in In addition the checking the branch, also check the trunk. I will attach an excerpt of the log since the full log is so big and inside NS firewall.
Reporter | ||
Comment 1•22 years ago
|
||
Comment 2•22 years ago
|
||
Harish, If all of these warnings occur in #ifdef DEBUG blocks, then you can mark this fixed, but please make sure.
htmlgen.cpp, SelfTest.cpp, and nsDebugRobot are never used and is built only under DEBUG mode. So we can safely ignore these files. The rest of the warnings, in COherElements, nsDTDUtils, nsViewSourceHTML, under the ifdef DEBUG flag. I don't see a problem here. Marking INVALID.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
Updated•22 years ago
|
Group: security?
Comment 4•22 years ago
|
||
14 more flawfinder warnings in htmlparser (4449-4462). Reopening 4449) htmlparser/src/COtherElements.h:2386 [4] (format) printf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4450) htmlparser/src/COtherElements.h:2466 [4] (format) printf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4451) htmlparser/src/SelfTest.cpp:125 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4452) htmlparser/src/SelfTest.cpp:165 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4453) htmlparser/src/SelfTest.cpp:177 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4454) htmlparser/src/SelfTest.cpp:179 [4] (buffer) strcat: does not check for buffer overflows. Consider using strncat or strlcat. 4455) htmlparser/src/SelfTest.cpp:188 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4456) htmlparser/src/SelfTest.cpp:190 [4] (buffer) strcat: does not check for buffer overflows. Consider using strncat or strlcat. 4457) htmlparser/src/SelfTest.cpp:216 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4458) htmlparser/src/nsViewSourceHTML.cpp:491 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4459) htmlparser/src/nsViewSourceHTML.cpp:947 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4460) htmlparser/src/nsViewSourceHTML.cpp:961 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4461) htmlparser/src/nsViewSourceHTML.cpp:977 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4462) htmlparser/src/nsViewSourceHTML.cpp:1005 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Reporter | ||
Comment 5•22 years ago
|
||
Duplicate warnings, closing again.
Status: REOPENED → RESOLVED
Closed: 22 years ago → 22 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•