[Owasp-esapi-c++] containsCharacter( char, char[])

Jeffrey Walton noloader at gmail.com
Fri Aug 5 15:58:24 EDT 2011 

On Fri, Aug 5, 2011 at 10:11 AM, Daniel Amodio
<dan.amodio at aspectsecurity.com> wrote:
> Then really we should force passing it in a container that specifies length.
> Otherwise...
Yes. Here's how I handle it:

void Foo(<parameters>, int* error);
{
    if(... failed ...)
    {
        if(error)
            *err = <the error>
    }
}

In Foo(), the function expects a single int*. No length is necessary.
This holds for all POD types - bool, long, etc. Better would be a
reference, since a reference *cannot* be NULL (we can do away with
parameter validation and ASSERT'ing on `error`).

void Bar(byte bar[], ...)
{
    ...
}

void Bar(byte* bar, ...)
{
    ...
}

In function Bar(), `bar` is a variable length array (not a single
element pointer). `bar` must provide an explicit length. If the code
does not provide a length, it is making assumptions about the length
of `bar`. The code must assume the length is 0 (its a defensive
position).

I will usually kick code that assumes lengths on arrays, or makes an
assumption that there are non-zero elements.

> who's to say they don't pass a bad length (intentionally or unintentionally)?
Right. And who's to say it was not an unintentional error which
originates in ESAPI itself (ie, not under attacker control). All
arrays have lengths, which must be specified to mitigate these sorts
of things.

Jeff

> -----Original Message-----
> From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
> Sent: Friday, August 05, 2011 10:07 AM
> To: Daniel Amodio
> Cc: noloader at gmail.com; ESAPI C++ List
> Subject: Re: [Owasp-esapi-c++] containsCharacter( char, char[])
>
> On Fri, Aug 5, 2011 at 9:48 AM, Daniel Amodio <dan.amodio at aspectsecurity.com> wrote:
>> Would there be any drawback to providing functions for a couple different types? Or should we force developers to use the safer methods?
>>
>> I'm thinking some developers may rely heavily on char, char[]s or std::string, and may be frustrated at converting them.
>> We can had some methods that convert and then call the "safe" method.
>>
>> containsChar(char, char[]) {
>> // convert
>> return containsChar(safeType, otherSafeType); }
>>
>> You can get the length of char arrays by doing
>> sizeof(theArray)/sizeof(char), so that may prevent overruns
>
> You are forgetting C++'s ugly warts it inherits from C.  Note that 'char*' and 'char[]' can be used interchangebly. And whose to say that 'char*' is really meant to point to a null-terminated C string?
>
> No, I think we need to make passing the length explicit for char[].

More information about the Owasp-esapi-c++ mailing list