Date: Thu, 07 Sep 2000 20:24:33 -0700 From: Mike Smith <msmith@freebsd.org> To: Warner Losh <imp@village.org> Cc: "John Doh!" <johndoh_@hotmail.com>, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf Message-ID: <200009080324.UAA00530@mass.osd.bsdi.com> In-Reply-To: Your message of "Thu, 07 Sep 2000 20:59:18 MDT." <200009080259.UAA50393@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> In message <F159yCTr9rf3yXvEbjk00001dc1@hotmail.com> "John Doh!" writes: > : Issue is must be getting format string from "untrusted" place, but want to > : limit substitution of %... to the substitution of say in example the > : argv[0], but to not do others so that say given "usage: %s filename %p" %p > : not interpret but to be print instead as literally so we get output of > : (saying to be argv[0] as test just for example) usage: test filename %p > : > : any hints you have I am very greatful for. > > Fix gettext to only allow N arguments in the same order that the > original message had. Typically you want to use positional arguments with printf so that your gettext responses can reorder things to get better results, but the same basically applies. -- ... every activity meets with opposition, everyone who acts has his rivals and unfortunately opponents also. But not because people want to be opponents, rather because the tasks and relationships force people to take different points of view. [Dr. Fritz Todt] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009080324.UAA00530>