From: Sean Morrison <brlcad@us...> - 2007-12-22 19:31:00
Update of /cvsroot/brlcad/brlcad/misc
In directory sc8-pr-cvs3.sourceforge.net:/tmp/cvs-serv2235/misc
the message was wrong for scanf() warnings about the %s modifier when all we know in the default case is that it's not a constant.
RCS file: /cvsroot/brlcad/brlcad/misc/flawfinder,v
retrieving revision 14.1
retrieving revision 14.2
diff -w -u -r14.1 -r14.2
--- flawfinder 14 Oct 2007 05:27:24 -0000 14.1
+++ flawfinder 22 Dec 2007 19:31:02 -0000 14.2
@@ -604,7 +604,8 @@
hit.note = "No risky scanf format detected."
# Format isn't a constant.
- hit.note = "If the scanf format is influenceable by an attacker, it's exploitable."
+ hit.warning = "If format strings to scanf's family of functions can be influenced by an attacker, they can be exploited"
+ hit.suggestion = "Use a constant for the format specification"