Search

Help

Page 4 of 13. Showing 123 results (0.045 seconds)

  1. Re: IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method

    The rule ENV03-C. Sanitize the environment when invoking external programs discusses how to sanitize environment variables before invoking external programs. At first I thought it needs a Java analogue, and then I realized that this rule could have a new NCCE/CS pair discussing how to do this. Not sure if its
  2. IDS14-J. Do not trust the contents of hidden form fields

    that accepts a visible field and a hidden field, and echoes them back to the user. The visible parameter is sanitized before being passed to the browser … ( sanitize(visible)); out.println("<br>Hidden Parameter:"); out.println(hidden); } else { out.println("<p>"); out.print("<form action=""); out.print("SampleServlet
  3. IDS01-PL. Use taint mode while being aware of its limitations

    , such as invoking the system() function. Finally, there are a few ways you can sanitize tainted data, thereby removing the taint. The details of how taint mode … that are used as an array index IDS32-PL. Validate any integer that is used as an array index Strings printed to standard output IDS33-PL. Sanitize untrusted
  4. Re: JNI04-J. Do not assume that Java strings are null-terminated

    directly to NewStringUTF(). IF Java has a ASCII-to-Mod-UTF8 JNI function, you can also leverage that to know when strings are being properly sanitized. Which is the point...this is a sanitization problem of sorts. Well...actually a normalization problem, but it stil lcan be handled by the same techniques that we discuss
  5. Re: IDS51-J. Properly encode or escape output

    ); is suitable contents for the display() function, but has no sanitization problems. Also, we traditionally describe the exploit-ability of code in text after the code, not in a comment. Dhruv's code example is a good start at a NCCE...it also does not indicate why not sanitizing its input is bad, but that can be fixed.
  6. Re: FIO32-C. Do not perform operations on devices that are only appropriate for files

    that the advice here (or perhaps somewhere else) is to perform platform-specific sanitization of file inputs even if the path is sanitized. Migrated to Confluence
  7. Re: ENV03-C. Sanitize the environment when invoking external programs

    Spotted a couple more problems with the grep example: It calls spc_sanitize_environment() to sanitize the environment, but that function does not alter the current environment, it creates a new one for use with execle() or execve(). One solution might be to do the sanitizing in the shell command. It would mean
  8. Re: ENV03-C. Sanitize the environment when invoking external programs

    are needed to make the code safe: It should sanitize the environment (or at least have a comment saying "sanitize the environment here ..."). It should ensure
  9. SEC01-J. Do not allow tainted variables in privileged blocks

    or sanitizing data before performing privileged operations (see IDS00-J. Prevent SQL injection). Noncompliant Code Example This noncompliant code example accepts a tainted … the cleanAFilenameAndPath() method to sanitize malicious inputs. Successful completion of the sanitization method indicates that the input is acceptable and the doPrivileged() block
  10. IDS51-J. Properly encode or escape output

    Proper input sanitization can prevent insertion of malicious data into a subsystem such as a database. However, different subsystems require different types of sanitization. Fortunately, it is usually obvious which subsystems will eventually receive which inputs, and consequently what type of sanitization is required