Bug#305240: rats: doesn't escape HTML tags found in the C code

Mon, 18 Apr 2005 14:08:54 -0700 

Subject: rats: doesn't escape HTML tags found in the C code
Package: rats
Version: 2.1-3
Severity: normal
Tags: patch

When using the options --context and --html, rats doesn't escape HTML code 
found in
the C code when creating HTML reports. Here is an example:


[EMAIL PROTECTED]:~/rats-test$ cat test.c
#include <stdio.h>

int main(void)
{
  char a[50];

  strcpy(a, "hi\n");
  printf(a, "<script>alert(31337)</script>");

  return 0;
}
[EMAIL PROTECTED]:~/rats-test$ /usr/bin/rats --context --html test.c
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head></head>
<body>
Entries in perl database: <b>33</b><br>
Entries in python database: <b>62</b><br>
Entries in c database: <b>336</b><br>
Entries in php database: <b>55</b><br>
<br><br>Analyzing <b>test.c</b><br>
<h2>RATS results.
</h2><br>
  <b>Severity: High</b><br/>
  Issue: fixed size global buffer<br/>
    Extra care should be taken to ensure that character arrays that are
    allocated on the stack are used safely.  They are prime targets for
    buffer overflow attacks.
  <br/>
<ul>
File: <b>test.c</b> Line:<b>5</b><br>
  char a[50];
<br>
  </ul>
  <b>Severity: High</b><br/>
  Issue: printf<br/>
    Check to be sure that the non-constant format string passed as argument 1
    to this function call does not come from an untrusted source that could
    have added formatting characters that the code is not prepared to handle.
  <br/>
<ul>
File: <b>test.c</b> Line:<b>8</b><br>
  printf(a, "<script>alert(31337)</script>");
<br>
  </ul>
<h3>Inputs detected at the following points</h3>
<ul>
</ul>
<br><br>
Total lines analyzed: <b>12</b><br>
Total time <b>0.007055</b> seconds<br>
<b>1700</b> lines per second<br>
</body></html>
[EMAIL PROTECTED]:~/rats-test$


I have attached a patch.

// Ulf H�rnhammar

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages rats depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libexpat1                   1.95.8-1     XML parsing C library - runtime li

-- no debconf information


--- report.c.old        2002-09-17 06:05:43.000000000 +0200
+++ report.c    2005-04-18 22:31:09.573554448 +0200
@@ -1093,6 +1093,7 @@ void generate_html() {
       ctx = getctx(ptr->filename, ptr->lineno);
       if(ctx)
       {
+        ctx = xml_escape(ctx);
         printf("%s<br>\n", ctx);
         free(ctx);
       }   

#include <stdio.h>

int main(void)
{
  char a[50];

  strcpy(a, "hi\n");
  printf(a, "<script>alert(31337)</script>");

  return 0;
}

Reply via email to