Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:46192 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71622 invoked from network); 25 Nov 2009 16:09:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Nov 2009 16:09:42 -0000 Authentication-Results: pb1.pair.com smtp.mail=jess@zend.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=jess@zend.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.185 as permitted sender) X-PHP-List-Original-Sender: jess@zend.com X-Host-Fingerprint: 212.25.124.185 il-mr1.zend.com Received: from [212.25.124.185] ([212.25.124.185:50552] helo=il-mr1.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 91/15-45906-3C65D0B4 for ; Wed, 25 Nov 2009 11:09:42 -0500 Received: from il-gw1.zend.com (unknown [10.1.1.21]) by il-mr1.zend.com (Postfix) with ESMTP id 7007150462; Wed, 25 Nov 2009 17:56:19 +0200 (IST) Received: from [10.1.2.102] ([10.1.2.102]) by il-gw1.zend.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 25 Nov 2009 18:09:36 +0200 Message-ID: <4B0D56BF.6090505@zend.com> Date: Wed, 25 Nov 2009 18:09:35 +0200 User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090706) MIME-Version: 1.0 To: Rasmus Lerdorf CC: Michael Maclean , internals@lists.php.net References: <4B0BE3B5.1030606@no-surprises.co.uk> <4B0D23E4.4070305@zend.com> <4B0D50B5.4010105@lerdorf.com> In-Reply-To: <4B0D50B5.4010105@lerdorf.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 25 Nov 2009 16:09:36.0288 (UTC) FILETIME=[AEEA5200:01CA6DE9] Subject: Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c From: jess@zend.com (Jess Portnoy) Hello, I agree that it [potentially] many false positives and the is even addressed in the homepage. While this is common to most static analyzers to some extent and requires going through each "find" with care while mumbling "again with this crap..", I still think it has some value. One person's opinion. May the source be with you, Best regards, Jess Portnoy Rasmus Lerdorf wrote: > Jess Portnoy wrote: > >> Hello, >> >> clang is indeed a great tool but since it does a lot more than just >> static analysis. >> For those cases where one wants source code analysis, especially >> security oriented, I'd recommend flawfinder >> [http://www.dwheeler.com/flawfinder]. >> > > I find that flawfinder is way too simplistic. It just does a grep for > certain strings and spews a canned warning. For example: > > basic_functions.c:137: [4] (buffer) sprintf: > Does not check for buffer overflows. Use snprintf or vsnprintf. > basic_functions.c:2778: [4] (buffer) sprintf: > Does not check for buffer overflows. Use snprintf or vsnprintf. > basic_functions.c:2779: [4] (format) printf: > If format strings can be influenced by an attacker, they can be > exploited. Use a constant for the format specification. > > Now, that sounds very scary, until you look at those source code lines: > > 137: #undef sprintf > > 2778: PHP_NAMED_FE(sprintf, PHP_FN(user_sprintf), arginfo_sprintf) > 2779: PHP_NAMED_FE(printf, PHP_FN(user_printf), arginfo_printf) > > It is so littered with false positives like this that I don't find it > useful. > > -Rasmus >