Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
SqlClientPermission
object, which regulates how users are allowed to connect to a database. In this example, the program passes false
as the second parameter to the constructor, which controls whether users are allowed to connect with blank passwords. Passing false to this parameter indicates that blank passwords should not be allowed.
...
SCP = new SqlClientPermission(pstate, false);
...
PermissionState
object passed as the first parameter supersedes any value passed to the second parameter, the constructor allows blank passwords for database connections, which contradicts the second argument. To disallow blank passwords, the program should pass PermissionState.None
to the first parameter of the constructor. Because of the ambiguity in its functionality, the two-parameter version of the SqlClientPermission
constructor has been deprecated in favor of the single parameter version, which conveys the same degree of information without the risk of misinterpretation.getpw()
to verify that a plain text password matches a user's encrypted password. If the password is valid, the function sets result
to 1; otherwise it is set to 0.
...
getpw(uid, pwdline);
for (i=0; i<3; i++){
cryptpw=strtok(pwdline, ":");
pwdline=0;
}
result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
...
getpw(
) function can be problematic from a security standpoint, because it can overflow the buffer passed to its second parameter. Because of this vulnerability, getpw()
has been supplanted by getpwuid()
, which performs the same lookup as getpw()
but returns a pointer to a statically-allocated structure to mitigate the risk.
...
String name = new String(nameBytes, highByte);
...
nameBytes
. Due to the evolution of the charsets used to encode strings, this constructor was deprecated and replaced by a constructor that accepts as one of its parameters the name of the charset
used to encode the bytes for conversion.Digest::HMAC
stdlib, which use of is explicitly discouraged in the documentation due to accidental involvement within a release.
require 'digest/hmac'
hmac = Digest::HMAC.new("foo", Digest::RMD160)
...
hmac.update(buf)
...
Digest::HMAC
class was deprecated immediately upon involvement due to accidental inclusion within a release. Due to possibility of this not working as expected because of experimental and not properly tested code, use of this is highly discouraged, especially considering the relation HMACs have in relation to cryptographic functionality.block.blockhash()
, which has been deprecated since version 0.5.0 of the Solidity compiler.
bytes32 blockhash = block.blockhash(0);