Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/caja-dropbox-1.24.0/src/async-io-coroutine.h
Examining data/caja-dropbox-1.24.0/src/caja-dropbox-hooks.c
Examining data/caja-dropbox-1.24.0/src/caja-dropbox-hooks.h
Examining data/caja-dropbox-1.24.0/src/caja-dropbox.c
Examining data/caja-dropbox-1.24.0/src/caja-dropbox.h
Examining data/caja-dropbox-1.24.0/src/dropbox-client-util.c
Examining data/caja-dropbox-1.24.0/src/dropbox-client-util.h
Examining data/caja-dropbox-1.24.0/src/dropbox-client.c
Examining data/caja-dropbox-1.24.0/src/dropbox-client.h
Examining data/caja-dropbox-1.24.0/src/dropbox-command-client.c
Examining data/caja-dropbox-1.24.0/src/dropbox-command-client.h
Examining data/caja-dropbox-1.24.0/src/dropbox.c
Examining data/caja-dropbox-1.24.0/src/g-util.h
FINAL RESULTS:
data/caja-dropbox-1.24.0/src/caja-dropbox-hooks.c:182:9: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
g_get_home_dir());
data/caja-dropbox-1.24.0/src/dropbox-command-client.c:549:7: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
g_get_home_dir());
data/caja-dropbox-1.24.0/src/caja-dropbox-hooks.c:183:55: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
addr_len = sizeof(addr) - sizeof(addr.sun_path) + strlen(addr.sun_path);
data/caja-dropbox-1.24.0/src/caja-dropbox.c:558:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
GhettoURLDecode(item_name, item_name, strlen(item_name));
data/caja-dropbox-1.24.0/src/caja-dropbox.c:559:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
GhettoURLDecode(verb, verb, strlen(verb));
data/caja-dropbox-1.24.0/src/caja-dropbox.c:560:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
GhettoURLDecode(item_inner, item_inner, strlen(item_inner));
data/caja-dropbox-1.24.0/src/dropbox-command-client.c:550:53: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
addr_len = sizeof(addr) - sizeof(addr.sun_path) + strlen(addr.sun_path);
ANALYSIS SUMMARY:
Hits = 7
Lines analyzed = 2984 in approximately 0.11 seconds (27461 lines/second)
Physical Source Lines of Code (SLOC) = 1970
Hits@level = [0] 0 [1] 5 [2] 0 [3] 2 [4] 0 [5] 0
Hits@level+ = [0+] 7 [1+] 7 [2+] 2 [3+] 2 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 3.5533 [1+] 3.5533 [2+] 1.01523 [3+] 1.01523 [4+] 0 [5+] 0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.