はてなブックマーク

Shellshock David A. Wheeler 2015-02-13 (originally 2014-10-02) This paper covers the basics of the Shellshock bash vulnerability, a discussion on ways to detect or prevent future Shellshock-like vulnerabilities, a timeline of what happened when, and some information about the specific CVEs (vulnerability identifiers). It ends with a few conclusions. This paper is part of the essay suite Learning f

How to Prevent the next Heartbleed David A. Wheeler 2024-04-24 (originally 2014-04-29) This paper analyzes the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL found in 2014. After an introduction and a discussion of why it wasn’t found earlier, this paper focuses on identifying and discussing countermeasures that could have countered Heartbleed-like vulnerabilities. The paper also discusses pr

Filenames and Pathnames in Shell: How to do it Correctly David A. Wheeler 2023-08-23 (original version 2010-05-19) Many Bourne shell scripts (as run by bash, dash, ash, ksh, and so on) do not handle filenames and pathnames correctly on Unix-like/POSIX systems. Some shell programming books teach it wrongly, and even the POSIX standard sometimes gets it wrong. Thus, many shell scripts are buggy, lea

Note that you can use traditional math notation for functions; fibfast(n) maps to (fibfast n). Infix processing is marked with {...}; {n <= 2} maps to (<= n 2). Indentation is significant, unless disabled by (...), [...], or {...}. This example uses variable names with embedded "-" characters; that's not a problem, because the infix operators must be surrounded by whitespace and are only used when

Fixing Unix/Linux/POSIX Filenames: Control Characters (such as Newline), Leading Dashes, and Other Problems David A. Wheeler 2024-07-19 (originally 2009-03-24) Seek freedom and become captive of your desires, seek discipline and find your liberty. — Frank Herbert, Dune “Negative freedom is freedom from constraint, that is, permission to do things; Positive freedom is empowerment, that is, ability

David A. Wheeler’s Personal Home Page Papers & projects on developing secure software, free / libre / open source software (OSS/FLOSS), software innovation, & other interesting things... Latest posts: FLOSS Weekly #609! Report on the 2020 FOSS Contributor Survey Secure Software Development Fundamentals RSS Feed: all FLOSS&Open Standards security Security Secure Programming for Linux and Unix HOWTO

This paper uses logical style quoting (as defined by Hart’s Rules and the Oxford Dictionary for Writers and Editors); quotations do not include extraneous punctuation. 1.4 Bigger Picture Typical FLOSS projects are, in fact, an example of something much larger: commons-based peer-production. The fundamental characteristic of FLOSS is its licensing, and an FLOSS project that meets at least one custo

Secure Programming HOWTO - Creating Secure Software This is the main web site for my free book, the Secure Programming HOWTO (previously titled Secure Programming for Linux and Unix HOWTO and Secure Programming for Linux HOWTO). This book provides a set of design and implementation guidelines for writing secure programs. Such programs include application programs used as viewers of remote data, we

This is the main web site for flawfinder, a simple program that examines C/C++ source code and reports possible security weaknesses (“flaws”) sorted by risk level. It’s very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public. It is free for anyone to use and is available as open source software (OSS). See “how does Fl

This is the home page of "SLOCCount", a set of tools for counting physical Source Lines of Code (SLOC) in a large number of languages of a potentially large set of programs. This suite of tools was used in my papers More than a Gigabuck: Estimating GNU/Linux's Size and Estimating Linux's Size to measure the SLOC of entire GNU/Linux distributions, and my essay Linux Kernel 2.6: It's Worth More! Oth