if (!strncasecmp(arg, "file://", strlen("file://"))) throws an issue #21

Question

if (!strncasecmp(arg, "file://", strlen("file://"))) throws an issue #21

vtorri opened this issue 3 years ago · comments

https://app.codacy.com/gh/vtorri/entice/issues?categoryType=Security

FCodacy findd potential security problems in strlen calls :

Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126)

code :

if (!strncasecmp(arg, "file://", strlen("file://")))

but strlen("file://") is always 7 as we pass a static string which is always correctly 0-terminated

Dale Visser · Answer 1 · Wed Dec 22 2021 23:54:04 GMT+0800 (China Standard Time)

I could probably work up a pull request, at least for the simplest case of a single double-quoted string argument. I will need to understand the unit tests, so I can add a proper unit test for the exception as well.

David A. Wheeler · Answer 2 · Thu Dec 23 2021 00:15:10 GMT+0800 (China Standard Time)

@dwvisser - that would be awesome!