Date: Thu, 07 Sep 2000 20:23:11 -0700 From: Mike Smith <msmith@freebsd.org> To: "John Doh!" <johndoh_@hotmail.com> Cc: hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf Message-ID: <200009080323.UAA00511@mass.osd.bsdi.com> In-Reply-To: Your message of "Thu, 07 Sep 2000 18:27:57 %2B0700." <F159yCTr9rf3yXvEbjk00001dc1@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hello to you am I C coder who to wish write programs we cannot exploit via
> code such as below.
>
> >
> > main(int argc, char **argv)
> > {
> > if(argc > 1) {
> > printf(gettext("usage: %s filename\n"),argv[0]);
> > exit(0);
> > }
> > printf("normal execution proceeds...\n");
> > }
>
> Issue is must be getting format string from "untrusted" place, but want to
> limit substitution of %... to the substitution of say in example the
> argv[0], but to not do others so that say given "usage: %s filename %p" %p
> not interpret but to be print instead as literally so we get output of
> (saying to be argv[0] as test just for example) usage: test filename %p
If you don't trust gettext, you need to write a validation wrapper for it
that compares the format specifiers in the source and destination strings.
There's no way to "fix" printf to do this. Personally, I'd fix the
security on your gettext database and deal with it at that level.
--
... every activity meets with opposition, everyone who acts has his
rivals and unfortunately opponents also. But not because people want
to be opponents, rather because the tasks and relationships force
people to take different points of view. [Dr. Fritz Todt]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009080323.UAA00511>