From owner-freebsd-hackers  Thu Sep  7 20:52:21 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.49])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8F3D937B42C; Thu,  7 Sep 2000 20:52:16 -0700 (PDT)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA40783;
	Thu, 7 Sep 2000 21:52:13 -0600 (MDT)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA51001; Thu, 7 Sep 2000 21:52:03 -0600 (MDT)
Message-Id: <200009080352.VAA51001@harmony.village.org>
To: Kris Kennaway <kris@FreeBSD.org>
Subject: Re: How to stop problems from printf 
Cc: John Doh! <johndoh_@hotmail.com>, security@FreeBSD.org,
	hackers@FreeBSD.org
In-reply-to: Your message of "Thu, 07 Sep 2000 20:21:15 PDT."
		<Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org> 
References: <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org>  
Date: Thu, 07 Sep 2000 21:52:03 -0600
From: Warner Losh <imp@village.org>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org> Kris Kennaway writes:
: gettext() doesnt take any additional arguments, AFAIK it just munges the
: string. The argument substitution was being done by printf() in the
: example given.

Right.  You know how many args are expected, since you know printf.

: The only possibilities I immediately see are:
: 
: 1) Don't do that (look up in untrusted catalogs)
: 
: 2) Write a vgettext(char *buf, int size, const char *fmt...) which a)
: looks up the message in the catalog, b) verifies the returned string has
: the same number and type of format strings, and c) substitutes the
: arguments passed to it using vsnprintf() into the passed buffer. The
: resulting string should then be handled using function("%s", buf) to deal
: with escaped format strings ("%%s" which would be parsed to %s by the
: vsnprintf()). I don't think you can do it securely otherwise, unless I'm
: missing something.
: 
: The problem is that you want gettext to substitute arguments into the
: string, but it doesn't do that, and the string it returns has an unknown
: number of format strings so it's not safe to use in a varargs function.

3) figure out how many args a string needs and forbid strings with
   more than that in them.  It knows from the original number of
   % args, can apply the printf rules.  It would be trivial to write
   one function to do must of this.  You get the number of args in the
   key, you get the number of args in the new string using the same
   routine.  If the two numbers aren't equal, you return the original
   key string, or abort.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message