flawfinder
flawfinder copied to clipboard
if (!strncasecmp(arg, "file://", strlen("file://"))) throws an issue #21
https://app.codacy.com/gh/vtorri/entice/issues?categoryType=Security
FCodacy findd potential security problems in strlen calls :
Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126)
code :
if (!strncasecmp(arg, "file://", strlen("file://")))
but strlen("file://") is always 7 as we pass a static string which is always correctly 0-terminated
I could probably work up a pull request, at least for the simplest case of a single double-quoted string argument. I will need to understand the unit tests, so I can add a proper unit test for the exception as well.
@dwvisser - that would be awesome!