|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Michael Howard (mikehow_at_microsoft.com)
Date: Tue Jan 28 2003 - 18:40:07 CST
Seeing as everyone is piling in with their list of "safer" string
handlging functions - We also released a header file, strsafe.h, which
is being used internally...
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur
e/html/strsafe.asp
Of course, the real way to build secure software is not to use "safe"
functions, but to check data validity :-)
Cheers, Michael
Secure Windows Initiative
Writing Secure Code 2nd Edition
http://www.microsoft.com/mspress/books/5957.asp
-----Original Message-----
From: mlh
zip.com.au [mailto:mlhzip.com.au]
Sent: Tuesday, January 28, 2003 3:38 PM
To: Timo Sirainen
Cc: Ed Carp; secprogsecurityfocus.com
On Tue, Jan 28, 2003 at 08:37:37PM +0200, Timo Sirainen wrote:
>
> I'd suggest not using C's string handling functions at all, they're
> way too annoying to be used safely (or at all, really). There's many
> libraries that make things easier for you, GLIB and libowfat comes to
> my mind at first. I've also put a stripped down version of my library
> available at http://irccrew.org/~cras/security/lib/
Another library 'libslack' has a rich set of string functions:
http://libslack.org/manpages/str.3.html
Matt
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]