Secure Coding mailing list archives

Programming language comparison?

From: coley at linus.mitre.org (Steven M. Christey)
Date: Tue, 5 Feb 2008 16:44:57 -0500 (EST)


On Mon, 4 Feb 2008, ljknews wrote:

("%99999999s" to fill up disk or memory, anybody?), so it's marked with
"All" and it's not in the C-specific view, even though there's a heavy
concentration of format strings in C/C++.


It is marked as "All" ?

What is the construct in Ada that has such a risk ?


Hmmmm, I don't see any, but then again I don't know Ada.  Is there no
equivalent to format strings in Ada?  No library support for it?

Your question actually highlights the point I was trying to make - in CWE,
we don't yet have a way of specifying language families, such as "any
language that directly supports format strings," or "any language with
dynamic evaluation."

- Steve

Current thread:

Programming language comparison? Vincent Verhagen (Feb 04)
- Programming language comparison? Robert A. Martin (Feb 04)
  - Programming language comparison? Steven M. Christey (Feb 04)
    - Programming language comparison? ljknews (Feb 04)
    - Programming language comparison? Steven M. Christey (Feb 05)
    - Programming language comparison? Robert C. Seacord (Feb 05)
    - Programming language comparison? ljknews (Feb 05)
    - Programming language comparison? Pete Shanahan (Feb 06)
    - Programming language comparison? Shea, Brian A (Feb 06)
- Programming language comparison? Craig E. Ward (Feb 04)
- Programming language comparison? Vincent Verhagen (Feb 05)