[This was originally published on the OSVDB blog.]
Often times you will see a VDB or researcher disclosure offer the solution “Edit the source code to ensure that input is properly sanitised.” I’ve never been fond of this for several reasons. First and probably the most obvious, duh? If I proclaim “send food to the hungry”, have I now provided a solution for world hunger? No need to debate semantics or definitions, the bottom line is I haven’t (or we wouldn’t have the problem anymore). So offering a solution of “editing the source to sanitize input” is about as helpful as my solution. Second, if the solution was really so easy, wouldn’t the developers have done it in the first place? Couldn’t we apply such advice to all programs from all projects? Third, most users and administrators don’t have the programming experience to make such source code changes. Even if they did, most simply don’t have the time to edit every package they may use, let alone fully test their changes and ensure functionality and security.