Hi Pat,
> From: matt @
uts .
EDU .
AU (Jas (Matthew K))
> C in and of itself is neither secure nor insecure. what makes "C
> programming" (in)secure is a combination of the OS you are running and the
^^^^^^^^^^^^^^^^^^
> libraries you use to do things within that OS.
^^^^^^^^^^^^^^^^^
| From patrick @
oes .
amdahl .
com (Patrick Horgan)
| ...
| system and popen in setuid applications (or at least making sure you push
| an intelligent PATH and IFS into the environment first?) If you have to
| use system or popen and the string you use is derived from user input, how
| about scanning for the first ';' and replacing it with '\0'? ...
Your points is exactly what Mat is saying! IFS/PATH are UNIX specific.
And popen() and buffer etc. are library specific (libc.a in UNIX). I am
sure requirements differ for DOS/VMS/etc. It is NOT your C habits which
makes programs secure ... it is your OS/library usage.
Regards,
Mandeep
------------------------------------------------------------------------------
|
|
