Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/qhttpengine-0.1.0+dfsg1/examples/chatserver/apihandler.cpp Examining data/qhttpengine-0.1.0+dfsg1/examples/chatserver/apihandler.h Examining data/qhttpengine-0.1.0+dfsg1/examples/chatserver/main.cpp Examining data/qhttpengine-0.1.0+dfsg1/examples/fileserver/main.cpp Examining data/qhttpengine-0.1.0+dfsg1/src/QHttpEngine/qfilesystemhandler.h Examining data/qhttpengine-0.1.0+dfsg1/src/QHttpEngine/qhttphandler.h Examining data/qhttpengine-0.1.0+dfsg1/src/QHttpEngine/qhttpparser.h Examining data/qhttpengine-0.1.0+dfsg1/src/QHttpEngine/qhttpserver.h Examining data/qhttpengine-0.1.0+dfsg1/src/QHttpEngine/qhttpsocket.h Examining data/qhttpengine-0.1.0+dfsg1/src/QHttpEngine/qibytearray.h Examining data/qhttpengine-0.1.0+dfsg1/src/QHttpEngine/qiodevicecopier.h Examining data/qhttpengine-0.1.0+dfsg1/src/QHttpEngine/qlocalfile.h Examining data/qhttpengine-0.1.0+dfsg1/src/QHttpEngine/qobjecthandler.h Examining data/qhttpengine-0.1.0+dfsg1/src/qfilesystemhandler.cpp Examining data/qhttpengine-0.1.0+dfsg1/src/qfilesystemhandler_p.h Examining data/qhttpengine-0.1.0+dfsg1/src/qhttphandler.cpp Examining data/qhttpengine-0.1.0+dfsg1/src/qhttphandler_p.h Examining data/qhttpengine-0.1.0+dfsg1/src/qhttpparser.cpp Examining data/qhttpengine-0.1.0+dfsg1/src/qhttpserver.cpp Examining data/qhttpengine-0.1.0+dfsg1/src/qhttpserver_p.h Examining data/qhttpengine-0.1.0+dfsg1/src/qhttpsocket.cpp Examining data/qhttpengine-0.1.0+dfsg1/src/qhttpsocket_p.h Examining data/qhttpengine-0.1.0+dfsg1/src/qibytearray.cpp Examining data/qhttpengine-0.1.0+dfsg1/src/qiodevicecopier.cpp Examining data/qhttpengine-0.1.0+dfsg1/src/qiodevicecopier_p.h Examining data/qhttpengine-0.1.0+dfsg1/src/qlocalfile.cpp Examining data/qhttpengine-0.1.0+dfsg1/src/qlocalfile_p.h Examining data/qhttpengine-0.1.0+dfsg1/src/qobjecthandler.cpp Examining data/qhttpengine-0.1.0+dfsg1/src/qobjecthandler_p.h Examining data/qhttpengine-0.1.0+dfsg1/tests/TestQFilesystemHandler.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/TestQHttpHandler.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/TestQHttpParser.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/TestQHttpServer.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/TestQHttpSocket.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/TestQIByteArray.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/TestQIODeviceCopier.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/TestQLocalFile.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/TestQObjectHandler.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/common/qsimplehttpclient.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/common/qsimplehttpclient.h Examining data/qhttpengine-0.1.0+dfsg1/tests/common/qsocketpair.cpp Examining data/qhttpengine-0.1.0+dfsg1/tests/common/qsocketpair.h FINAL RESULTS: data/qhttpengine-0.1.0+dfsg1/src/qlocalfile.cpp:48:12: [5] (race) chmod: This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362). Use fchmod( ) instead. return chmod(q->fileName().toUtf8().constData(), S_IRUSR | S_IWUSR) == 0; data/qhttpengine-0.1.0+dfsg1/src/QHttpEngine/qlocalfile.h:71:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). bool open(); data/qhttpengine-0.1.0+dfsg1/src/qfilesystemhandler.cpp:75:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!file->open(QIODevice::ReadOnly)) { data/qhttpengine-0.1.0+dfsg1/src/qhttpsocket.cpp:305:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, d->readBuffer.constData(), size); data/qhttpengine-0.1.0+dfsg1/src/qiodevicecopier.cpp:105:21: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!d->src->open(QIODevice::ReadOnly)) { data/qhttpengine-0.1.0+dfsg1/src/qiodevicecopier.cpp:113:22: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!d->dest->open(QIODevice::WriteOnly)) { data/qhttpengine-0.1.0+dfsg1/src/qlocalfile.cpp:125:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). bool QLocalFile::open() data/qhttpengine-0.1.0+dfsg1/src/qlocalfile.cpp:127:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). return QFile::open(QIODevice::WriteOnly) && d->setPermission() && d->setHidden(); data/qhttpengine-0.1.0+dfsg1/tests/TestQFilesystemHandler.cpp:117:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!file.open(QIODevice::WriteOnly)) { data/qhttpengine-0.1.0+dfsg1/tests/TestQLocalFile.cpp:50:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). QVERIFY(file.open()); data/qhttpengine-0.1.0+dfsg1/src/qiodevicecopier.cpp:63:28: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). qint64 dataRead = src->read(data.data(), bufferSize); ANALYSIS SUMMARY: Hits = 11 Lines analyzed = 4321 in approximately 0.19 seconds (22781 lines/second) Physical Source Lines of Code (SLOC) = 2070 Hits@level = [0] 0 [1] 1 [2] 9 [3] 0 [4] 0 [5] 1 Hits@level+ = [0+] 11 [1+] 11 [2+] 10 [3+] 1 [4+] 1 [5+] 1 Hits/KSLOC@level+ = [0+] 5.31401 [1+] 5.31401 [2+] 4.83092 [3+] 0.483092 [4+] 0.483092 [5+] 0.483092 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.