Date: Tue, 03 Apr 2001 07:33:26 -0700 From: Bengt Richter <bokr@accessone.com> To: freebsd-doc@freebsd.org Cc: Dima Dorfman <dima@unixfreak.org> Subject: Re: docs/26286: format string warnings in man pages. Message-ID: <5.0.2.1.1.20010403072605.00ae87c0@mail.accessone.com> In-Reply-To: <200104030140.f331e2556686@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
PMJI, but in order not to clutter the text itself, perhaps a minimal footnote reference like this[1], and in the footnote, a (hyperlinked?) reference to a central place for security risk matters, something like the below? -- [1] See Security Risks Compendium, Section nnn.mmm, re format string risks. ---------------------------- (I am implicitly suggesting that security risk documentation be accumulated in a single place for reference and browsing. This would serve several goals at once, not least of which is a single instance of explanatory text to update when appropriate. Other format-string based code docs could also reference the same security section, avoiding cluttering of functional info with extensive text discussing security). HTH, but I can't volunteer to do anything more about it for now. Regards Bengt Richter PS., sorry if this got duplicated. Messing with ISP access setup. At 18:40 2001-04-02, you wrote: >The following reply was made to PR docs/26286; it has been noted by GNATS. > >From: Dima Dorfman <dima@unixfreak.org> >To: mike@urgle.com >Cc: FreeBSD-gnats-submit@freebsd.org >Subject: Re: docs/26286: format string warnings in man pages. >Date: Mon, 02 Apr 2001 18:38:26 -0700 > > Mike Bristow <mike@urgle.com> writes: > > >Number: 26286 > > >Category: docs > > >Synopsis: *printf(3) etc should gain format string warnings > > > > Index: lib/libc/gen/err.3 > > =================================================================== > > RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/err.3,v > > retrieving revision 1.11.2.4 > > diff -u -r1.11.2.4 err.3 > > --- lib/libc/gen/err.3 2001/03/05 08:42:22 1.11.2.4 > > +++ lib/libc/gen/err.3 2001/03/29 15:48:07 > > @@ -97,9 +97,16 @@ > > and a space are output. > > If the > > .Fa fmt > > -argument is not NULL, the > > -.Xr printf 3 > > --like formatted error message is output. > > +argument is not NULL, then further output is controlled by treating > > +it as a format string that specifies how subsequent arguments (or > > +arguments accessed via the variable-length argument facilities of > > +.Xr stdarg 3 ) > > +are converted for output, in the same way as > > +.Xr printf 3 . > > +If the format string specifies an argument that does not exist, or > > +a type different from that actually given, random errors, that > > +could cause a security risk, may occur. > > +.Pp > > [ Picking a random part of the patch to use as context. ] > > The idea behind this is great, but I don't really like how the above > text is duplicated everywhere. It seems unnatural. Ideally, the > above would be replaced with a "see something(3) for information on > what [a format string] implies". Unfortunately, I don't know what > this something(3) should be; printf(3) is the first thing that comes > to mind, but printf(3) documents a particular function; it just so > happens that most C programmers' first sight of a format string was in > the context of a call to printf(). > > To demonstrate the importance of not duplicating this stuff, I point > out this [shortcoming]: the text above, which is pretty much the same > in all your other changes, doesn't mention the fact that using a > dynamic format string--more accurately, one which an outsider (user) > can control--can lead to disaster just as quickly as specifying the > wrong type of arguments. Although technically it's the same problem > (i.e., someone specifies a format the programmer didn't know about, > leading, e.g., err(3) to think argument x is of type y when it's > really of type z, or just nonexistent), it's a very common error (this > is what's recently became known as a "format string bug"). > > Regards, > > Dima Dorfman > dima@unixfreak.org > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-doc" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20010403072605.00ae87c0>