apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: APR a Safe C library?
Date Fri, 28 Aug 2015 21:31:52 GMT
On 08/28/2015 06:04 AM, Tristan Leask wrote:
> Hi all,
> Not sure if this is the right place to ask or not, so sorry if it isn't.
> I am currently using the APR library in conjunction with the Active MQ CPP connector,
so that I can produce and consume topics over an Active MQ bus.  Recently I have asked to
evaluate the security of our system and the components that it uses.  One of those requirements
is to make sure that the software is protected as best as it can be from buffer exploits,
and one way of doing this is to make sure that safe C libraries are being used with C code,
and that C++ code uses safe API equivalents, e.g. strncpy() to strncpy_S().
> Reading the APR site, it says that you take security very seriously, so I am assuming
that the library should be ok for this.  I could potentially get someone to look in to the
code, but I thought it would be quicker to ask first.
> So, any comments?
> Thanks in advance!
APR uses smarter library/system APIs in many situations and by default 
takes action to avoid some types of vulnerabilities (e.g., file 
descriptor leaks).  Some APIs provided by APR help the application be 
smarter about avoiding security issues (e.g., by providing a smarter 
strcpy replacement).  That said, YMMV.  APR doesn't generally take 
action to protect against the application passing bad data to APR.

View raw message