Am 09.08.12 20:02, schrieb Jon Trulson: > On Thu, 9 Aug 2012, Marc Balmer wrote: > >> A few more sprintf() to snprintf() conversion. >> > > Applied, thanks! > > --- > >> We need to find a proper way to replace strcpy() and strcat(), maybe >> keep a local copy of strlcpy() and strlcat() from OpenBSD around >> somewhere? Other suggestions? >> > > Hmmm... I'm leary of introducing further dependancies... Is it really > worth it? Do you have any idea how many strcpy et. al. are in CDE? :)
strcpy() and strcat() are, much like sprint(), a major source of buffer overflows and are a real threat. These functions are notoriously unsafe and it is really hard to use them in a safe manner consistently. They are best avoided at all. And yes, all three of them are used a lot in CDE (and in OpenMotif, too, fwiw). The strlcpy() and strlcat() functions provide a safe replacement that, unlike strncpy(), guarantees the resulting string to be always NUL terminated. This is a huge plus in safety, at almost no price. So I'd say, yes, it's definitely worth it. All BSDs habe strl...(), it's not in glibc for merely political reasons, a story I will not warm up here. Linking to libbsd on Linux is certainly a very good idea, for the reason to get the strl-functions. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ cdesktopenv-devel mailing list cdesktopenv-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel
