Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:46191
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67933 invoked from network); 25 Nov 2009 15:45:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Nov 2009 15:45:02 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.218.213 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.218.213 mail-bw0-f213.google.com  
Received: from [209.85.218.213] ([209.85.218.213:36970] helo=mail-bw0-f213.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 91/84-45906-BF05D0B4 for <internals@lists.php.net>; Wed, 25 Nov 2009 10:45:01 -0500
Received: by bwz5 with SMTP id 5so7373064bwz.23
        for <internals@lists.php.net>; Wed, 25 Nov 2009 07:44:56 -0800 (PST)
Received: by 10.103.184.5 with SMTP id l5mr2373169mup.34.1259163833302;
        Wed, 25 Nov 2009 07:43:53 -0800 (PST)
Received: from ?192.168.200.22? (c-98-234-184-167.hsd1.ca.comcast.net [98.234.184.167])
        by mx.google.com with ESMTPS id n7sm22378642mue.24.2009.11.25.07.43.51
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Wed, 25 Nov 2009 07:43:52 -0800 (PST)
Message-ID: <4B0D50B5.4010105@lerdorf.com>
Date: Wed, 25 Nov 2009 07:43:49 -0800
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: Jess Portnoy <jess@zend.com>
CC: Michael Maclean <michael@no-surprises.co.uk>, 
 internals@lists.php.net
References: <4B0BE3B5.1030606@no-surprises.co.uk> <4B0D23E4.4070305@zend.com>
In-Reply-To: <4B0D23E4.4070305@zend.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Jess Portnoy wrote:
> Hello,
> 
> clang is indeed a great tool but since it does a lot more than just
> static analysis.
> For those cases where one wants source code analysis, especially
> security oriented, I'd recommend flawfinder
> [http://www.dwheeler.com/flawfinder].

I find that flawfinder is way too simplistic.  It just does a grep for
certain strings and spews a canned warning.  For example:

basic_functions.c:137:  [4] (buffer) sprintf:
  Does not check for buffer overflows. Use snprintf or vsnprintf.
basic_functions.c:2778:  [4] (buffer) sprintf:
  Does not check for buffer overflows. Use snprintf or vsnprintf.
basic_functions.c:2779:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be
  exploited. Use a constant for the format specification.

Now, that sounds very scary, until you look at those source code lines:

137: #undef sprintf

2778: 	PHP_NAMED_FE(sprintf,	PHP_FN(user_sprintf),	arginfo_sprintf)
2779:	PHP_NAMED_FE(printf,	PHP_FN(user_printf),	arginfo_printf)

It is so littered with false positives like this that I don't find it
useful.

-Rasmus