-
-
Notifications
You must be signed in to change notification settings - Fork 639
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Are format string vulnerabilities only relevant to memory unsafe languages? #1731
Comments
Josh to move this somewhere.... |
Hi @tghosth, I was browsing the other issues and our current ASVS 5.0 repo and I think these requirements What do you think? |
I'm not sure I agree @csfreak92 , this seems like a pretty clear cut validation/sanitization. 10.4 is basically for code level requirements with other types of mitigation that don't fit anywhere else :) I would suggest putting this in "V5.2 Sanitization and Sandboxing" and rewording as follows:
|
Ah I see, yeah now that I think about it this requirement makes more sense in sanitization chapter. This new modification feels something missing to me. I couldn't place what it is, but maybe we need to clarify what format string vulnerabilities are? Do we have a text in this v5 sanitization chapter to explain it? |
So how about:
I think format strings is pretty Googleable |
@csfreak92 do you still feel we need to add context about format strings? Maybe in a reference? |
Yeah, a bit more context about format string vulnerabilities would help a long way @tghosth |
PR Submitted |
Are format string vulnerabilities only relevant to memory unsafe languages?
Requirement 5.4.2 is in a section that is more about memory unsafe languages but I have two problems:
Any thoughts?
History:
The text was updated successfully, but these errors were encountered: