Difference between revisions of "Assigning instead of comparing"

From OWASP
Jump to: navigation, search
Line 12: Line 12:
 
==Description==
 
==Description==
 
In many languages, the ''compare'' statement is very close in appearance to the ''assignment'' statement and are often confused.
 
In many languages, the ''compare'' statement is very close in appearance to the ''assignment'' statement and are often confused.
 +
 +
This bug is generally as a result of a typo and usually should cause obvious problems with program execution. If the comparison is in an ''if'' statement, the ''if ''statement will always return the value of the right-hand side variable.
 +
  
 
'''Consequences'''
 
'''Consequences'''
Line 47: Line 50:
  
 
==Examples==
 
==Examples==
 +
In C/C++/Java:
  
===Short example name===
+
<pre>
: A short example description, small picture, or sample code with [http://www.site.com links]
+
void called(int foo){
 +
        if (foo=1)  printf("foo\n");
 +
}
  
===Short example name===
+
int main(){
: A short example description, small picture, or sample code with [http://www.site.com links]
+
        called(2);
 +
        return 0;
 +
}
 +
</pre>
  
  
Line 70: Line 79:
 
* [[Control 1]]
 
* [[Control 1]]
 
* [[Control 2]]
 
* [[Control 2]]
 
+
* Pre-design: Through Build: Many IDEs and static analysis products will detect this problem.
Note: contents of "Avoidance and Mitigation" and "Countermeasure" related Sections should be placed here
+
* Implementation: Place constants on the left. If one attempts to assign a constant with a variable, the compiler will of course produce an error.
  
  
Line 81: Line 90:
  
 
==References==
 
==References==
Note: A reference to related [http://cwe.mitre.org/ CWE] or [http://capec.mitre.org/ CAPEC] article should be added when exists. Eg:
+
TBD
 
+
[[Category:FIXME|need links
* [http://cwe.mitre.org/data/definitions/79.html CWE 79].
+
* http://www.link1.com
+
* [http://www.link2.com Title for the link2]
+
  
  
Line 110: Line 116:
 
Logging and Auditing Vulnerability
 
Logging and Auditing Vulnerability
  
Session Management Vulnerability
+
Session Management Vulnerability]]
  
 
__NOTOC__
 
__NOTOC__
  
==Overview==
 
 
 
 
 
==Avoidance and mitigation ==
 
 
* Pre-design: Through Build: Many IDEs and static analysis products will detect this problem.
 
 
* Implementation: Place constants on the left. If one attempts to assign a constant with a variable, the compiler will of course produce an error.
 
 
==Discussion ==
 
 
This bug is generally as a result of a typo and usually should cause obvious problems with program execution. If the comparison is in an ''if'' statement, the ''if ''statement will always return the value of the right-hand side variable.
 
 
==Examples ==
 
 
In C/C++/Java:
 
 
<pre>
 
void called(int foo){
 
        if (foo=1)  printf("foo\n");
 
}
 
 
int main(){
 
        called(2);
 
        return 0;
 
}
 
</pre>
 
 
==Related problems ==
 
  
  

Revision as of 07:55, 22 September 2008

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 09/22/2008

Vulnerabilities Table of Contents

ASDR Table of Contents

Description

In many languages, the compare statement is very close in appearance to the assignment statement and are often confused.

This bug is generally as a result of a typo and usually should cause obvious problems with program execution. If the comparison is in an if statement, the if statement will always return the value of the right-hand side variable.


Consequences

Unspecified.

Exposure period

  • Pre-design through Build: The use of tools to detect this problem is recommended.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack, or misuse, of mitigating technologies.

Platform

  • Languages: C, C++
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

Low


Risk Factors

TBD


Examples

In C/C++/Java:

void called(int foo){
        if (foo=1)  printf("foo\n");
}

int main(){
        called(2);
        return 0;
}


Related Attacks


Related Vulnerabilities


Related Controls

  • Control 1
  • Control 2
  • Pre-design: Through Build: Many IDEs and static analysis products will detect this problem.
  • Implementation: Place constants on the left. If one attempts to assign a constant with a variable, the compiler will of course produce an error.


Related Technical Impacts


References

TBD