SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 69

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 70

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
There are several national variants of ASCII. As a result, the original ASCII is often referred as US-ASCII. ISO/IEC 646-1991 defines a character set, similar to US-ASCII, but with code positions corresponding to US-ASCII characters {{@\[\]\{\|\}}} as _national use positions_ \[[ISO/IEC 646-1991|AA. Bibliography#ISO/IEC 646-1991]\]. It also gives some liberties with the characters {{\#$^`\~}}. In ISO 646, several national variants of ASCII have been defined, assigning different letters and symbols to the national use positions. Consequently, the characters that appear in those positions, including those in US-ASCII, are less portable in international data transfer. Consequently, due to the national variants, some characters are less portable than others --- they others—they might be transferred or interpreted incorrectly.

...

When naming files, variables, and other objects, only these characters should be considered for use. This recommendation is related to recommendation STR02-C. Sanitize data passed to complex subsystems.

...

Wiki Markup
As a result of the influence of MS-DOS, file names of the form {{xxxxxxxx.xxx}}, where x denotes an alphanumeric character, are generally supported by modern systems.  On some platforms, file names are case sensitive; while on other platforms, they are case insensitive.  VU#439395 is an example of a vulnerability resulting from a failure to deal appropriately with case sensitivity issues \[[VU#439395|AA. Bibliography#VU439395]\].

...

This noncompliant code example is derived from guideline rule FIO30-C. Exclude user input from format strings, except that a newline is removed on the assumption that fgets() will include it.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: MSC09-CPP. Character Encoding - Use Subset of ASCII for Safety

...

Wiki Markup\[[Kuhn 2006|AA. Bibliography#Kuhn 06]\] UTF-8 and Unicode FAQ for UNIX/Linux \[[ISO/IEC 646-1991|AA. Bibliography#ISO/IEC 646-1991]\] ISO 7-bit coded character set for information interchange \[[

ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 5.2.1, "Character sets" \[[

ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] TR 24772 "AJN Choice of Filenames and other External Identifiers"

MISRA Rule \[[MISRA 2004|AA. Bibliography#MISRA 04]\] Rule 3.2, "The character set and the corresponding encoding shall be documented," and Rule 4.1, "Only those escape sequences that are defined in the ISO C standard shall be used"

MITRE CWE: CWE-116, "Improper Encoding or Escaping of Output"

Bibliography

Wiki Markup
 used"
\[[MITREKuhn 20072006|AA. Bibliography#MITREBibliography#Kuhn 0706]\] [CWE ID 116|http://cwe.mitre.org/data/definitions/116.html], "Improper Encoding or Escaping of Output" UTF-8 and Unicode FAQ for UNIX/Linux
\[[Wheeler 2003|AA. Bibliography#Wheeler03]\] 5.4 File Names
\[[VU#881872|AA. Bibliography#VU881872]\]

...