Date: Thu, 7 Sep 2000 20:21:15 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Warner Losh <imp@village.org> Cc: John Doh! <johndoh_@hotmail.com>, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf Message-ID: <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org> In-Reply-To: <200009080259.UAA50393@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Sep 2000, Warner Losh wrote: > In message <F159yCTr9rf3yXvEbjk00001dc1@hotmail.com> "John Doh!" writes: > : Issue is must be getting format string from "untrusted" place, but want to > : limit substitution of %... to the substitution of say in example the > : argv[0], but to not do others so that say given "usage: %s filename %p" %p > : not interpret but to be print instead as literally so we get output of > : (saying to be argv[0] as test just for example) usage: test filename %p > : > : any hints you have I am very greatful for. > > Fix gettext to only allow N arguments in the same order that the > original message had. gettext() doesnt take any additional arguments, AFAIK it just munges the string. The argument substitution was being done by printf() in the example given. "usage: %s filename" -> "blurgle: %s flobodob" But if you're looking up in an untrusted catalog, then it could return "blurgle: %s flobodob %n%n%n%n%n" in which case your function might be insecure. The only possibilities I immediately see are: 1) Don't do that (look up in untrusted catalogs) 2) Write a vgettext(char *buf, int size, const char *fmt...) which a) looks up the message in the catalog, b) verifies the returned string has the same number and type of format strings, and c) substitutes the arguments passed to it using vsnprintf() into the passed buffer. The resulting string should then be handled using function("%s", buf) to deal with escaped format strings ("%%s" which would be parsed to %s by the vsnprintf()). I don't think you can do it securely otherwise, unless I'm missing something. The problem is that you want gettext to substitute arguments into the string, but it doesn't do that, and the string it returns has an unknown number of format strings so it's not safe to use in a varargs function. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe@alum.mit.edu> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009072004570.65638-100000>