Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/pcmanfm-qt-0.14.1/pcmanfm/application.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/application.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/autorundialog.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/autorundialog.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/bulkrename.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/bulkrename.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/connectserverdialog.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/connectserverdialog.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/desktoppreferencesdialog.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/desktoppreferencesdialog.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/desktopwindow.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/desktopwindow.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/launcher.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/launcher.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/mainwindow.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/mainwindow.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/pcmanfm.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/preferencesdialog.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/preferencesdialog.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/settings.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/statusbar.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/statusbar.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/tabbar.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/tabbar.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/tabpage.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/tabpage.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/view.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/view.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/xdgdir.cpp
Examining data/pcmanfm-qt-0.14.1/pcmanfm/xdgdir.h
Examining data/pcmanfm-qt-0.14.1/pcmanfm/settings.cpp
FINAL RESULTS:
data/pcmanfm-qt-0.14.1/pcmanfm/application.cpp:306:40: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
qtTranslator.load("qt_" + QLocale::system().name(), QLibraryInfo::location(QLibraryInfo::TranslationsPath));
data/pcmanfm-qt-0.14.1/pcmanfm/application.cpp:313:46: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
translator.load("pcmanfm-qt_" + QLocale::system().name(), PCMANFM_DATA_DIR "/translations");
data/pcmanfm-qt-0.14.1/pcmanfm/preferencesdialog.cpp:83:49: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
findIconThemesInDir(iconThemes, QString(g_get_home_dir()) % "/.icons");
data/pcmanfm-qt-0.14.1/pcmanfm/application.cpp:142:16: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if(! file_.open(QIODevice::ReadOnly | QIODevice::Text)) {
data/pcmanfm-qt-0.14.1/pcmanfm/desktopwindow.cpp:537:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if(info.open(QIODevice::ReadOnly)) {
data/pcmanfm-qt-0.14.1/pcmanfm/desktopwindow.cpp:574:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if(info.open(QIODevice::WriteOnly)) {
data/pcmanfm-qt-0.14.1/pcmanfm/xdgdir.cpp:27:13: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if(file.open(QIODevice::ReadOnly | QIODevice::Text)) {
data/pcmanfm-qt-0.14.1/pcmanfm/xdgdir.cpp:66:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if(file.open(QIODevice::WriteOnly | QIODevice::Text)) {
data/pcmanfm-qt-0.14.1/pcmanfm/application.cpp:891:11: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
::read(sigterm_fd[1], &c, sizeof(c));
data/pcmanfm-qt-0.14.1/pcmanfm/desktopwindow.cpp:549:47: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
QImage image = reader.read(); // return the loaded image
data/pcmanfm-qt-0.14.1/pcmanfm/desktopwindow.cpp:1468:82: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
xcb_atom_t atom = xcb_intern_atom_reply(con, xcb_intern_atom(con, 0, strlen(atom_name), atom_name), nullptr)->atom;
data/pcmanfm-qt-0.14.1/pcmanfm/desktopwindow.cpp:1470:87: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
xcb_atom_t prop_atom = xcb_intern_atom_reply(con, xcb_intern_atom(con, 0, strlen(prop_atom_name), prop_atom_name), nullptr)->atom;
ANALYSIS SUMMARY:
Hits = 12
Lines analyzed = 10409 in approximately 0.25 seconds (42112 lines/second)
Physical Source Lines of Code (SLOC) = 7895
Hits@level = [0] 0 [1] 4 [2] 5 [3] 1 [4] 2 [5] 0
Hits@level+ = [0+] 12 [1+] 12 [2+] 8 [3+] 3 [4+] 2 [5+] 0
Hits/KSLOC@level+ = [0+] 1.51995 [1+] 1.51995 [2+] 1.0133 [3+] 0.379987 [4+] 0.253325 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.