SEI CERT Perl Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 51

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Mariani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ccccff
langperl
sub validate_password {
  my ($password) = @_;
  my $is_ok = ($password eq "goodpass");
  print "$prompt: Password ok? $is_ok\n";
  return $is_ok;
};

# ...

Risk Assessment

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

IDS30-PL

high

probable

low

P18

L1

Automated Detection

Perl's taint mode provides partial detection of unsanitized input in format strings.

Perl's warnings can detect if a call to printf() or sprintf() contains the wrong number of format string arguments.

Tool

Diagnostic

 Warnings

Missing argument in .*printf

Taint modeInsecure dependency in .*printf
Security Reviewer - Static ReviewerPERL_D90

Related Guidelines

SEI CERT C Coding StandardFIO30-C. Exclude user input from format strings
SEI CERT C++ Coding StandardVOID FIO30-CPP. Exclude user input from format strings
CERT Oracle Secure Coding Standard for JavaIDS06-J. Exclude unsanitized user input from format strings
MITRE CWECWE-134, "Uncontrolled format string"

Bibliography

[Christey 2005]Format string vulnerabilities in Perl programs
[Seacord 2005]Chapter 6, "Formatted Output"
[VU#948385]Perl contains an integer sign error in format string processing
[Wall 2011]perlfunc

...


...