#48 Security vulnerabilities

[Josh]

We use a tool to find security issues in our code and in code we use. The following issues were identified as "high" or "critical" level issues in the ex3270 source code (version 4.5ga5). If these are useful, I can provide additional feedback on possible security vulnerabilities that were deemed lower priority.

Potential for OS command injection via system call

• wc3270/wizard.c:4801
• x3270/print_window.c:183
• Common/c3270/c3270.c:2127
• x3270/print_window.c:98
• wc3270/select.c:323

Potential for OS command injection

• Common/pr3287/ctlr.c:1417
• Common/childscript.c:1329
• Common/pr3287_session.c:738
• Common/print_command.c:152
• Common/xpopen.c:99
• Common/trace.c:734
• tcl3270/tcl3270.c:666

Insecure use of the strcopy function

The tool recommends using strcpy_s or performing explicit length checks before copying data to ensure the destination buffer is large enough.

• wc3270/wizard.c:4947
• wc3270/wizard.c:666
• wc3270/wizard.c:2244
• wc3270/wizard.c:2824