strstr()C ++的安全版本? [英] A safe version of strstr() C++?

查看:736
本文介绍了strstr()C ++的安全版本?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述





我必须通过项目代码运行Parasoft C ++ Static Analysis。我的代码(即strstr)上的子字符串函数不断被标记为我应该修复的警告,并且有很多它们。警告如下:



不得使用库< cstring>的'strstr'功能



我怀疑这是因为我应该使用更安全的方式来实现子串逻辑。是否有strstr函数的安全版本? (即strcpy_s而不是strcpy /甚至strncmp而不是strcmp)我似乎没有在其他任何地方找到任何提及。



任何有修复/想法的人?



谢谢。



---------------- -----

查看提供的评论/解决方案后的详细说明:

代码实际上使用了strstr字符指针重载函数。我想这就是为什么Parasoft在抱怨?我想我可以尝试使用std :: strings,但我试图避免更改代码,因为它最初不是由我编写的。



it不是错误,而是来自Parasoft的警告。

确切的警告声明库的'strstr'功能< cstring>不得使用



调用此警告的代码可能是:



char * line1 = somebuffer;

char * line2;



line2 = strstr(line1,\ n); //在这里调用警告。

Hi,

I have to run Parasoft C++ Static Analysis through my project code. The substring functions on my code (i.e. strstr) keep getting flagged out as a warning that I should fix, and there are lots of them. The warning reads:

"The 'strstr' function of library <cstring> shall not be used"

I suspect it's because I should be using a safer way to implement substring logic. Is there a safe version of the strstr function? (i.e. strcpy_s as opposed to strcpy / or even strncmp instead of strcmp) I don't seem to find any mention of this anywhere else.

Anyone with a fix/idea?

Thanks.

---------------------
Elaboration after looking at the comments/solutions offered:
The code actually uses the strstr character pointer overloaded functions. I suppose that's why Parasoft is complaining? I suppose I could try using std::strings instead but I'm trying to avoid changing the code too much since it wasn't originally written by me.

it isn't an error, but rather, a warning from Parasoft.
The exact warning states "The 'strstr' function of library <cstring> shall not be used"

Code that would invoke this warning could be:

char *line1 = somebuffer;
char *line2;

line2 = strstr(line1, "\n"); //warning is invoked here.

推荐答案

使用 strstr 没有太大问题 - 指针除外论证和整个是零终止还是没有?


在C ++中,你通常使用 std :: string :: find 。如果你坚持不使用字符指针作为参数的重载,你将是相当安全的。
There's not a lot wrong with using strstr - except for the pointer arguments and the whole "is it zero terminated or not?" thing.

In C++ you'd generally use std::string::find. If you keep to the overloads that don't take character pointers as parameters you'll be fairly safe.


据我所知,没有这种函数的安全版本。

但是,由于你使用的是C ++, std :: string s而不是字符数组将是一个更合适的选择。



值得注意的是:

  • 也许你的代码实际上是安全的你可以放心地忽略这些警告(例如,你对输入字符串有完全的控制)。
  • 你可以为 strstr 提供一个安全的包装:这可以解决潜在的安全风险,但你将继续收到警告。
As far as I know, there is NOT a safe version of such a function.
However, since you are using C++, std::strings instead of character arrays would be a more appropriate choice.

It is worth noting:
  • Maybe your code is actually secure and you can safely ignore the warnings (e.g. you have full constrol on input strings).
  • You may provide a safe wrapper for strstr: this would solve the potential security risk, but you'll keep getting the warnings.


根据您现在提供的确切消息,您使用了
According to the exact message you now provided you used
#include <cstring>

而不是

#include <string>

#include <string.h>

如果您的编译器,或者在这种情况下,您的静态分析工具不知道特定于MS的标头,这可能会导致警告或错误(这一个是)。请参阅 http://stackoverflow.com/questions/12824595/difference-between-cstring-and-string [ ^ ]了解此事。



我建议您尝试

This may cause warnings or errors if your compiler, or, in this case, your static analysis tool, is not aware of the MS-specific headers (which this one is). See http://stackoverflow.com/questions/12824595/difference-between-cstring-and-string[^] for some insight into this matter.

I suggest you try

#include <string.h>

然后看看Parasoft对您的代码的看法。

and see what Parasoft thinks about your code then.


这篇关于strstr()C ++的安全版本?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆