Page 7 of 13. Showing 123 results (0.006 seconds)

  1. Re: ERR01-J. Do not allow exceptions to expose sensitive information

    In Noncompliant Code Example (Wrapping and Rethrowing Sensitive Exception): IOException is a checked exception and NOT unchecked. Text needs to be changed - just say wrap the exception and rethrow. Done Can this sentence be reworded - queries that result in the sanitized message exclude the requested
  2. Re: MSC09-C. Character encoding: Use subset of ASCII for safety

    I changed the link to VU#881872 in the bibliography section to the link to VU#439395. (VU#439395 is mentioned right before the first NCCE.) as far as I understand, VU#881872 is a kind of vulnerability instance missing user input sanitization, so, VU#881872 has nothing to do with this guideline. anyone please
  3. Re: IDS00-J. Prevent SQL injection

    The organization of the various sanitization rules continues to confound me.  This one emphasizes "command interpreters" in the description but contains no such examples.  Instead, these can be found in IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method
  4. Re: ENV03-C. Sanitize the environment when invoking external programs

    Yes, it a real concern, but not a special case.   It is dealt with by following the recommendation on this page (sanitizing the environment before executing another program). I think there may be two different issues getting mixed up here. My reply to Doug about LD_LIBRARY_PATH was specifically about the initial
  5. Re: IDS00-J. Prevent SQL injection

    to sanitize untrusted user data input. Also fixed Migrated to Confluence 4.0
  6. Re: SEI CERT Perl Coding Standard

    Like others languages, is not a good idea compare floating point numbers in Perl. For solving that you can: transform the numbers in strings and compare the strings according hte precision needs of yours: sub are_equals { #dont forget to sanitize $num1 and $num2 before using into sprintf     my ($num1, $num2
  7. Re: SER12-J. Prevent deserialization of untrusted data

    give me an opportunity after deserialization to sanitize your object. So I can make sure your object is not a LazyMap, for instance. We do have rules
  8. Re: SER12-J. Prevent deserialization of untrusted data

    are not sanitized before going to your database. This violates IDS00-J. Prevent SQL injection.
  9. IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter

    of component-based software engineering. Command and argument injection vulnerabilities occur when an application fails to sanitize untrusted input and uses … with a - or / to indicate a switch. This rule is a specific instance of IDS33-PL. Sanitize untrusted data passed across a trust boundary. Any string data that originates from
  10. Re: IDS56-J. Prevent arbitrary file upload

    sanitization of files uploaded to a web app. The Applicability section.