Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Summary: CAST AIP 8.3.24 introduces a number of features and changes as listed below. To view the impacts of these changes on analysis results, see: Changes in results post upgrade

User Input Security

Rule documentation updates

The following changes have been applied to rule documentation (no impact on analysis results):

8438

Avoid code injection

The Reference section has been updated to change the CWE reference from 78 to 94 and 95.

Miscellaneous

Long path support

When using CAST AIP, the path of some log files and other internal files may exceed the total number of characters permitted for a path in Microsoft Windows (260 characters by default). This is especially true when enabling the User Input Security feature for .NET and JEE techologies. When a path exceeds 260 characters, the analysis (or feature) would usually crash, for example the User Input Security would crash with the errors "System.IO.PathTooLongException" or "System.InvalidOperationException".

To avoid crashes due to situations where the long path limitation is exceeded, two changes need to be made:

Change to SET_DEFINITIONS table

The table SET_DEFINITIONS (Analysis schema) has been modified: the column "setprocedure" will now accept a procedure name up to 255 characters in CAST AIP ≥ 8.3.24. Previously this column only accepted procedure names with a maximum of 30 characters. Note that if extensions are to be compatible with older releases of CAST AIP, they must still use 30 characters max.

  • No labels