Log4cxx
  1. Log4cxx
  2. LOGCXX-88

Explore use of security-enhanced CRT methods

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 0.10.0
    • Fix Version/s: 0.10.0
    • Component/s: None
    • Labels:
      None

      Description

      Microsoft has proposed a set of security-enhanced versions of the familiar C RTL methods (like strcpy_s for strcpy) that require do buffer length checking etc. It would be desirable if APR and log4cxx could use the security-enhanced versions if present to avoid nasty deprecation warnings with VS.NET 2005 when it is released. The scope of the necessary changes may or may not be substantial and it would be likely to scour APR first.

      The draft proposal is at: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1031.pdf
      MSDN article at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03102004.asp

        Activity

        Hide
        Curt Arnold added a comment -

        Committed in rev 402994.

        apr and apr-util disable deprecation warnings that VC 2005 issues when classic C RTL methods like strcpy are used.

        exception.cpp contained the only use of strcpy within log4cxx, though there were two other uses within the unit tests. In those places, conditional sections were placed that use the security-enhanced CRT methods if available. Both _STDC_LIB_EXT1_ (from ISO working draft but not VC 2005) and _STDC_SECURE_LIB_ (defined by VC 2005, but not in draft) are checked and if either are defined, strcpy_s is used instead of strcpy and likewise.

        Show
        Curt Arnold added a comment - Committed in rev 402994. apr and apr-util disable deprecation warnings that VC 2005 issues when classic C RTL methods like strcpy are used. exception.cpp contained the only use of strcpy within log4cxx, though there were two other uses within the unit tests. In those places, conditional sections were placed that use the security-enhanced CRT methods if available. Both _ STDC_LIB_EXT1 _ (from ISO working draft but not VC 2005) and _ STDC_SECURE_LIB _ (defined by VC 2005, but not in draft) are checked and if either are defined, strcpy_s is used instead of strcpy and likewise.

          People

          • Assignee:
            Curt Arnold
            Reporter:
            Curt Arnold
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development