2020-12-21 15:38:52 +01:00
Delivering code in production with debug features activated is security-sensitive. It has led in the past to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999007[CVE-2018-1999007]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5306[CVE-2015-5306]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2006[CVE-2013-2006]
2021-01-27 13:42:22 +01:00
The ``++DEBUG(*YES)++`` and ``++DUMP++`` statements are useful during development and debugging, but could expose sensitive information to attackers and should not be included in production code.
2020-12-21 15:38:52 +01:00
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
H*-------------------------------------------------------------------------
H DATEDIT(*YMD) DEBUG(*YES)
H**************************************************************************
C SR990 BegSR
C 'CVTERR' DUMP DUMP for error
C Move *on *INLR
----
== Compliant Solution
----
H*-------------------------------------------------------------------------
H DATEDIT(*YMD)
H**************************************************************************
C SR990 BegSR
C Move *on *INLR
----
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
ifdef::rspecator-view[]
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::rspecator-view[]
