 |
Center for Software Testing Education & Research |
|
Center for Software Testing Education & Research |
Entering a Special Device Name in the Favorites of WinRAR Crashes the Application
Summary
We are going to perform Risk Based testing by inputting reserved device names for filenames in WinRAR v3.30. It turns out that the application allows the user to enter a reserved device name like AUX or COM1 in the Favorites - > Add to Favorites input box. When the newly added favorite is selected, the application tries to access the Windows device and crashes.
Application Description
WinRAR is an archive manager. It can backup data and reduce size of email attachments, decompress RAR, ZIP and other files downloaded from Internet and create new archives in RAR and ZIP file format. (Source: www.rarsoft.com).
For our tests we will focus on these two functions:
|
|
The first function allows the user to add a directory or an archive to a list of favorites, so that it can be accessed faster later. The second function allows the user to browse for an existing archive, which can be later decompressed, deleted, and so on.
Test Design
This example demonstrates the use of attacks in Risk Based Testing. One possible risk is that the application will fail to recognize a reserved device name in the input, and will try to access it as if it were a file. (Exploring allowable character sets and data types - James Whittaker, How to break Software). Some of the reserved device names are CON, AUX, NUL, PRN, LPT1, and COM1.
To apply this test we have to identify input fields that will be used by the application as file names to access files. Two examples of such fields are offered by the functions Favorites -> Add to favorites and File -> Open archive. We will enter the reserved name in these fields and examine the results.
The expected (correct) behavior is that the application will refuse to accept such device name as an input and will show a correct error message instead.
Performing the Test
Results/Relevance
It looks like the application tried to access the device and failed, which caused it to crash.
Probably many of the of the WinRAR users wouldn’t know that there are reserved device names, so there has to be code to prevent them from entering such names and crashing the application.
Since there is very small probability that the user will enter such name by accident, this bug most likely wouldn't be very interesting to developers.
This kind of bug is unlikely to be found by any other type of testing.
Similar Tests
We can apply this test to other fields. For example, we can test the Open Archives function. To open archives the application uses the common dialog box. Usually common dialog boxes do not allow entering reserved device names but let’s try it anyway. Enter aux and click "Open".
The input was not accepted and the correct error message was displayed. This is a good example of how the application should respond to such invalid input.
The test didn't cause the application to fail in this case, but if we try it with Commands -> Add files to archive, it would expose the bug previously described.
Configuration Notes
Testing RarSoft's WinRAR v3.30 (evaluation version):
Home | Privacy Policy | Terms of Use
© Cem Kaner, CSTER, 2004. Web Design by Thomas Bedran
Last updated on
03/14/2005
