Hiawatha weblog
Security audit
A Hiawatha user has performed a security audit on the Hiawatha source code. In his opinion, 'Hiawatha seems to be doing a great job as far as secure coding'. So, that's something to be proud of. Nevertheless, there were several findings.
Many of those findings concern the usage of strcpy(). I don't agree with the security auditor that it's better to replace all strcpy()'s with strncpy() or strlcpy(). Those functions need the length of the destination buffer as a parameter. If you already know the length of the destination buffer, you can check if the source string will fit in the destination buffer. If it won't fit, you shouldn't start copying, unless you have a good reason to truncate the source string. In my opinion, the best way to safely copy strings is to make sure there is enough space in the destination buffer. Which is what I do throughout the entire Hiawatha code.
Other findings were two array indexing issues and a few memory leaks. All of them would only occur in exceptional situations, so there's nothing to worry about for the current version of Hiawatha. Nevertheless, even a very small security bug is still a security bug, so they have been fixed. Those fixes will be available in Hiawatha 7.3.
I will contact the security auditor and see what more he's willing to do to further improve Hiawatha's security.
This article really made me moving the webserver to hiawatha on my server.
Thanks for developing the best webserver
I'm playing devil's advocate here, but why should anyone *trust* what "Hiawatha user" claims ?