From: Sebastian Pipping <sebastian@pipping.org>
Date: Sat, 21 Jun 2008 00:14:19 +0000 (+0200)
Subject: Security flaws in FAPG 0.41 and related patches
X-Git-Tag: v0.42~2
X-Git-Url: http://royale.zerezo.com/git/?p=FAPG;a=commitdiff_plain;h=7bc9401a06cc6d62d53ac50139743599530f2dd8

Security flaws in FAPG 0.41 and related patches

Hello Antoine!

As part of a security course at university our group has
studied code of FAPG 0.38. With the help of Splint [1]
we were able to find two security flaws that are still
present in FAPG 0.41.

I have attached a patch to this mail for each flaw.
Would be cool if you could include these patches
in the next FAPG release.

Best regards,

Sebastian

[1] http://www.splint.org/

Signed-off-by: Antoine Jacquet <royale@zerezo.com>
---

diff --git a/fapg.c b/fapg.c
index 17b02b8..0c72af8 100644
--- a/fapg.c
+++ b/fapg.c
@@ -425,7 +425,7 @@ void print_webpath(const char *path)
 {
     const char *c = path;
 
-    printf(prefix);             /* we must not modify this part */
+    printf("%s", prefix);             /* we must not modify this part */
     if(*c == '.' && c[1] == '/') {      /* remove leading "./" when parsing current directory */
         c += 2;
         /* maybe there follow many slashes */
@@ -443,7 +443,7 @@ void print_webpath(const char *path)
 void print_path(const char *path)
 {
     const char *c = path;
-    printf(prefix);
+    printf("%s", prefix);
     /* skip leading "./" when parsing current directory */
     if(*c == '.' && *(c + 1) == '/') {
         c += 2;
@@ -500,7 +500,6 @@ void reference(const char *title)
     pipe = popen(command, "r");
     if(pipe == NULL) {
         fprintf(stderr, "Warning >> can't open pipe >%s< !\n", command);
-        free(command);
         return;
     }
     fgets(buffer, 1020, pipe);