Difference between revisions of "Assigning instead of comparing"

From OWASP
Jump to: navigation, search
Line 11: Line 11:
  
 
==Description==
 
==Description==
In many languages, the '''compare''' statement is very close in appearance to the '''assignment''' statement and are often confused.
+
In many languages, the ''compare'' statement is very close in appearance to the ''assignment'' statement and are often confused.
  
 
'''Consequences'''
 
'''Consequences'''

Revision as of 07:53, 22 September 2008

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Contents


Last revision (mm/dd/yy): 09/22/2008

Vulnerabilities Table of Contents

ASDR Table of Contents

Description

In many languages, the compare statement is very close in appearance to the assignment statement and are often confused.

Consequences

Unspecified.

Exposure period

  • Pre-design through Build: The use of tools to detect this problem is recommended.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack, or misuse, of mitigating technologies.

Platform

  • Languages: C, C++
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

Low


Risk Factors

TBD


Examples

Short example name

A short example description, small picture, or sample code with links

Short example name

A short example description, small picture, or sample code with links


Related Attacks


Related Vulnerabilities


Related Controls

Note: contents of "Avoidance and Mitigation" and "Countermeasure" related Sections should be placed here


Related Technical Impacts


References

Note: A reference to related CWE or CAPEC article should be added when exists. Eg:


In addition, one should classify vulnerability based on the following subcategories: Ex:[[Category:Error Handling Vulnerability]]

Availability Vulnerability

Authorization Vulnerability

Authentication Vulnerability

Concurrency Vulnerability

Configuration Vulnerability

Cryptographic Vulnerability

Encoding Vulnerability

Error Handling Vulnerability

Input Validation Vulnerability

Logging and Auditing Vulnerability

Session Management Vulnerability


Overview

Avoidance and mitigation

  • Pre-design: Through Build: Many IDEs and static analysis products will detect this problem.
  • Implementation: Place constants on the left. If one attempts to assign a constant with a variable, the compiler will of course produce an error.

Discussion

This bug is generally as a result of a typo and usually should cause obvious problems with program execution. If the comparison is in an if statement, the if statement will always return the value of the right-hand side variable.

Examples

In C/C++/Java:

void called(int foo){
        if (foo=1)  printf("foo\n");
}

int main(){
        called(2);
        return 0;
}

Related problems