On 08/28/2015 06:04 AM, Tristan Leask wrote:
Hi all,
Not sure if this is the right place to ask or not, so sorry if it isn't.
I am currently using the APR library in conjunction with the Active MQ CPP
connector, so that I can produce and consume topics over an Active MQ bus.
Recently I have asked to evaluate the security of our system and the components
that it uses. One of those requirements is to make sure that the software is
protected as best as it can be from buffer exploits, and one way of doing this
is to make sure that safe C libraries are being used with C code, and that C++
code uses safe API equivalents, e.g. strncpy() to strncpy_S().
Reading the APR site, it says that you take security very seriously, so I am
assuming that the library should be ok for this. I could potentially get
someone to look in to the code, but I thought it would be quicker to ask first.
So, any comments?
Thanks in advance!
APR uses smarter library/system APIs in many situations and by default
takes action to avoid some types of vulnerabilities (e.g., file
descriptor leaks). Some APIs provided by APR help the application be
smarter about avoiding security issues (e.g., by providing a smarter
strcpy replacement). That said, YMMV. APR doesn't generally take
action to protect against the application passing bad data to APR.
