Buffer overflow f() { char buffer[BUFLEN]; gets(buffer); write(3, buffer, strlen(buffer)); } Format string g() { files = get_dir_ents("."); for (f in files) { printf(f); } } Signed / unsigned h(int len, char* buffer) { char name[NAMELEN]; if (len > NAMELEN) return 0; memcpy(name, buffer, len); } i(unsigned len, char* buffer) { char* name[NAMELEN]; char* namemax = name + NAMELEN; if (name + len > namemax) return 0; bufp += len; } Unprotected execution x() { char cmd[NAMELEN]; snprintf(cmd, NAMELEN, "ls %s", userinput()); system(cmd); } Races sub y { my $f = "/tmp/$$.tmp" open (TMP, "> $f"); print TMP "blah"; close (TMP); unlink $f; } sub z() { my ($fh, $file) = mkstemp( "tmpfileXXXXX" ); print $fh "stuff"; close $fh; open FH, "< $file"; my $line = ; print $line; close FH; } Cross-site scripting: Click here