Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Programming language comparison?

From: rcs at cert.org (Robert C. Seacord)
Date: Tue, 05 Feb 2008 17:09:05 -0500
Steven,

A while back Hal Burch and I wrote an article on "Programming Language
Format String Vulnerabilities" which is available here:

http://www.ddj.com/security/197002914

In the article we looked at the potential consequences of format string
vulnerabilities in Perl, PHP, Java, Python, and Ruby programs.

Sorry, we didn't write anything about Ada.  ;^)

rCs


On Mon, 4 Feb 2008, ljknews wrote:

  

("%99999999s" to fill up disk or memory, anybody?), so it's marked with
"All" and it's not in the C-specific view, even though there's a heavy
concentration of format strings in C/C++.
      

It is marked as "All" ?

What is the construct in Ada that has such a risk ?
    


Hmmmm, I don't see any, but then again I don't know Ada.  Is there no
equivalent to format strings in Ada?  No library support for it?

Your question actually highlights the point I was trying to make - in CWE,
we don't yet have a way of specifying language families, such as "any
language that directly supports format strings," or "any language with
dynamic evaluation."

- Steve
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: