Improper error handling

From OWASP
Revision as of 17:44, 13 April 2006 by Jeff Williams (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



Overview

Sometimes an error is detected, and bad or no action is taken.

Consequences

Undefined.

Exposure period

Implementation: This is generally a logical flaw or a typo introduced completely at implementation time.

Platform

Languages: All

Operating platforms: All

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

Avoidance and mitigation

Implementation: Properly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.

Discussion

If a function returns an error, it is important to either fix the problem and try again, alert the user that an error has happened and let the program continue, or alert the user and close and cleanup the program.

Examples

In C:

foo=malloc(sizeof(char); //the next line checks to see if malloc failed if (foo==0) { //We do nothing so we just ignore the error. }


In C++ and Java:

while (DoSomething()) {

 try {
   /* perform main loop here */
 }
 catch (Exception &e){
   /* do nothing, but catch so it'll compile... */
 }

}

Related problems

Not available.

Categories