From owner-freebsd-hackers Thu Sep 7 19:59:43 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 070B137B423; Thu, 7 Sep 2000 19:59:40 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA40578; Thu, 7 Sep 2000 20:59:38 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA50393; Thu, 7 Sep 2000 20:59:18 -0600 (MDT) Message-Id: <200009080259.UAA50393@harmony.village.org> To: "John Doh!" Subject: Re: How to stop problems from printf Cc: security@FreeBSD.ORG, hackers@FreeBSD.ORG In-reply-to: Your message of "Thu, 07 Sep 2000 18:27:57 +0700." References: Date: Thu, 07 Sep 2000 20:59:18 -0600 From: Warner Losh Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message "John Doh!" writes: : Issue is must be getting format string from "untrusted" place, but want to : limit substitution of %... to the substitution of say in example the : argv[0], but to not do others so that say given "usage: %s filename %p" %p : not interpret but to be print instead as literally so we get output of : (saying to be argv[0] as test just for example) usage: test filename %p : : any hints you have I am very greatful for. Fix gettext to only allow N arguments in the same order that the original message had. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message