The use of deprecated or obsolete functions could indicate neglected code.
As programming languages evolve, functions occasionally become obsolete due to:
- Advances in the language.
- Improved understanding of how operations should be performed effectively and securely.
- Changes in the conventions that govern certain operations.
Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way.
Example: The following code uses the deprecated function getpw()
to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result
to 1; otherwise it is set to 0.
...
getpw(uid, pwdline);
for (i=0; i<3; i++){
cryptpw=strtok(pwdline, ":");
pwdline=0;
}
result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
...
getpw(
) function can be problematic from a security standpoint, because it can overflow the buffer passed to its second parameter. Because of this vulnerability, getpw()
has been supplanted by getpwuid()
, which performs the same lookup as getpw()
but returns a pointer to a statically-allocated structure to mitigate the risk.[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 477