다음을 통해 공유

PREfast Warning 277 (Windows CE 5.0)

  • 아티클

Send Feedback

277 - Dangerous call to <function>.
Additional Information: NULL application name and unquoted path. 
Consequence: This will result in security vulnerability if the path contains spaces.

This warning indicates a potential security problem. Creating processes with explicit strings for the process name requires that you escape the spaces in the name. Without this precaution, the code can create unintentional processes.

This warning is sometimes reported if the space occurs between the executable name and the argument. In this case, unless the executable name is fully qualified, there can be a security problem where an attacker inserts a rogue executable with the same name earlier in the path than expected.

Example

Defective Source

CreateProcessA(NULL,
               "c:\\program files\\Project.exe arg1",
               NULL,
               NULL,
               false,
               0,
               NULL,
               NULL,
               NULL,
               NULL);

Corrected Source

CreateProcessA(NULL,
               "\"c:\\program files\\Project.exe\" arg1",
               NULL,
               NULL,
               FALSE,
               0,
               NULL,
               NULL,
               NULL,
               NULL);

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.