Errata for Secure Programming with Static Analysis

Errata for Secure Programming with Static Analysis

Page 73: Remove the quotation mark from the last line in Example 4.1. The regular expression should not match tokens containing a quotation mark.

Page 120: Change "data that a user deliver" to "data that the user delivers"

Page 124: Indent trailing "}" to align with the word "try" and add a left-aligned ellipsis (...) to the bottom of the code example.

Page 128: Replace "do_not_trustme.com" with "trustme.com.untrustworthy.com". The function strncmp() implements a prefix match not a suffix match, so "trustme.com" must appear at the beginning of the name.

Page 136: Add a line break before the trailing dash on the first line so that morse k (-.-) is not split across the line break.

Page 136: Change "whitespace surrounding a . or -" to "whitespace surrounding an optional . or -".

Page 164: Change "interface, passes concatenated" to "interface, it passes concatenated".

Page 202: Change "StirngCbPrintfEx" to "StringCbPrintfEx".

Page 202: Change "StirngCbVPrintfEx" to "StringCbVrintfEx".

Page 236: Change "twos complement" to two's complement" in footnote.

Page 292: Remove welcome.jsp from the comma-delimited list.

Page 299: Change "'OR 1=1" to "'OR '1'='1".

Page 301: Change "a value for color..." to "a value for clr".

Page 320: Change "Content-Length: 212" to "Content-Length: 18".

Page 343: Change "down sides" to "downsides".

Page 345: Change "XPath Expresion" to "XPath Expression".

Page 355: Change "" to "".

Page 376: Change "GET" to "POST".

Page 387: Change example code to read:

  sqlQuery = "SELECT item FROM users WHERE login = '"
 	       + user.getLogin() + "'"
	       + " AND password = '"
	       + user.getPassword() + "'";

Page 406: Change "only as good as the best sources" to "only as good as the best source".

Page 412: Change (op == "%") to (op == "&").

Page 415: Change "mlock(cleartext)" to "mlock(cleartext, len)".

Page 445: The text to the far left of the diagram should read "Time 0:" through "Time 8:". Exactly aligned with each of these labels should appear one line of text in either the victim column or the attacker column; never more, never less. To be clear, the alignment should be: Time 0: lstat(...
Time 1: creat(...
Time 2: kill(...
Time 3: stat(...
Time 4: remove(...
Time 5: symlink(...
Time 6: kill(...
Time 7: open(...
Time 8: fstat(....
Remove the trailing = in the bottom-left corner.

Index: Function calls (e.g. free() and chroot( )) appear in some cases with a space between the ( ) and sometimes without (). Normalize to use no space between matched () to avoid duplication and sort-order problems. For example, strcpy() appears twice on page 583, once with a space, once without.

Index Page 574: Remove incorrect spelling of getConneciton and remove duplicate entries for parametereized, RtlGenRandom, doGet, doPost.