Closed Bug 148278 Opened 23 years ago Closed 23 years ago

flawfinder warnings in htmlparser

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: hjtoi-bugzilla, Assigned: harishd)

References

(
URL
)

Details

Attachments

(1 file)

flawfinder warnings
18.92 KB, text/html
Details
I run flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1 branch. flawfinder found 64 warnings in htmlparser code (3496-3559). Go through that list and for each warning: * If it is false positive, comment here why it is not an issue * If it is a real issue, make patch for it here and let's get them checked in In addition the checking the branch, also check the trunk. I will attach an excerpt of the log since the full log is so big and inside NS firewall.
Blocks: 148251
Harish, If all of these warnings occur in #ifdef DEBUG blocks, then you can mark this fixed, but please make sure.
htmlgen.cpp, SelfTest.cpp, and nsDebugRobot are never used and is built only under DEBUG mode. So we can safely ignore these files. The rest of the warnings, in COherElements, nsDTDUtils, nsViewSourceHTML, under the ifdef DEBUG flag. I don't see a problem here. Marking INVALID.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
Group: security?
14 more flawfinder warnings in htmlparser (4449-4462). Reopening 4449) htmlparser/src/COtherElements.h:2386 [4] (format) printf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4450) htmlparser/src/COtherElements.h:2466 [4] (format) printf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4451) htmlparser/src/SelfTest.cpp:125 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4452) htmlparser/src/SelfTest.cpp:165 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4453) htmlparser/src/SelfTest.cpp:177 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4454) htmlparser/src/SelfTest.cpp:179 [4] (buffer) strcat: does not check for buffer overflows. Consider using strncat or strlcat. 4455) htmlparser/src/SelfTest.cpp:188 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4456) htmlparser/src/SelfTest.cpp:190 [4] (buffer) strcat: does not check for buffer overflows. Consider using strncat or strlcat. 4457) htmlparser/src/SelfTest.cpp:216 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4458) htmlparser/src/nsViewSourceHTML.cpp:491 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4459) htmlparser/src/nsViewSourceHTML.cpp:947 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4460) htmlparser/src/nsViewSourceHTML.cpp:961 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4461) htmlparser/src/nsViewSourceHTML.cpp:977 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4462) htmlparser/src/nsViewSourceHTML.cpp:1005 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Duplicate warnings, closing again.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: