Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/nautilus-dropbox-2019.02.14/src/nautilus-dropbox.c
Examining data/nautilus-dropbox-2019.02.14/src/g-util.h
Examining data/nautilus-dropbox-2019.02.14/src/nautilus-dropbox.h
Examining data/nautilus-dropbox-2019.02.14/src/dropbox-command-client.h
Examining data/nautilus-dropbox-2019.02.14/src/dropbox-command-client.c
Examining data/nautilus-dropbox-2019.02.14/src/dropbox-client.c
Examining data/nautilus-dropbox-2019.02.14/src/dropbox-client-util.c
Examining data/nautilus-dropbox-2019.02.14/src/dropbox-client-util.h
Examining data/nautilus-dropbox-2019.02.14/src/nautilus-dropbox-hooks.h
Examining data/nautilus-dropbox-2019.02.14/src/dropbox-client.h
Examining data/nautilus-dropbox-2019.02.14/src/nautilus-dropbox-hooks.c
Examining data/nautilus-dropbox-2019.02.14/src/dropbox.c
Examining data/nautilus-dropbox-2019.02.14/src/async-io-coroutine.h
FINAL RESULTS:
data/nautilus-dropbox-2019.02.14/src/dropbox-command-client.c:565:7: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
g_get_home_dir());
data/nautilus-dropbox-2019.02.14/src/nautilus-dropbox-hooks.c:182:9: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
g_get_home_dir());
data/nautilus-dropbox-2019.02.14/src/dropbox-command-client.c:566:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
addr_len = sizeof(addr) - sizeof(addr.sun_path) + strlen(addr.sun_path);
data/nautilus-dropbox-2019.02.14/src/nautilus-dropbox-hooks.c:183:55: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
addr_len = sizeof(addr) - sizeof(addr.sun_path) + strlen(addr.sun_path);
data/nautilus-dropbox-2019.02.14/src/nautilus-dropbox.c:574:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
GhettoURLDecode(item_name, item_name, strlen(item_name));
data/nautilus-dropbox-2019.02.14/src/nautilus-dropbox.c:575:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
GhettoURLDecode(verb, verb, strlen(verb));
data/nautilus-dropbox-2019.02.14/src/nautilus-dropbox.c:576:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
GhettoURLDecode(item_inner, item_inner, strlen(item_inner));
ANALYSIS SUMMARY:
Hits = 7
Lines analyzed = 3039 in approximately 0.07 seconds (42580 lines/second)
Physical Source Lines of Code (SLOC) = 2012
Hits@level = [0] 0 [1] 5 [2] 0 [3] 2 [4] 0 [5] 0
Hits@level+ = [0+] 7 [1+] 7 [2+] 2 [3+] 2 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 3.47913 [1+] 3.47913 [2+] 0.994036 [3+] 0.994036 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.