From owner-freebsd-hackers Thu Sep 7 20:52:21 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8F3D937B42C; Thu, 7 Sep 2000 20:52:16 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA40783; Thu, 7 Sep 2000 21:52:13 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA51001; Thu, 7 Sep 2000 21:52:03 -0600 (MDT) Message-Id: <200009080352.VAA51001@harmony.village.org> To: Kris Kennaway Subject: Re: How to stop problems from printf Cc: John Doh! , security@FreeBSD.org, hackers@FreeBSD.org In-reply-to: Your message of "Thu, 07 Sep 2000 20:21:15 PDT." References: Date: Thu, 07 Sep 2000 21:52:03 -0600 From: Warner Losh Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message Kris Kennaway writes: : gettext() doesnt take any additional arguments, AFAIK it just munges the : string. The argument substitution was being done by printf() in the : example given. Right. You know how many args are expected, since you know printf. : The only possibilities I immediately see are: : : 1) Don't do that (look up in untrusted catalogs) : : 2) Write a vgettext(char *buf, int size, const char *fmt...) which a) : looks up the message in the catalog, b) verifies the returned string has : the same number and type of format strings, and c) substitutes the : arguments passed to it using vsnprintf() into the passed buffer. The : resulting string should then be handled using function("%s", buf) to deal : with escaped format strings ("%%s" which would be parsed to %s by the : vsnprintf()). I don't think you can do it securely otherwise, unless I'm : missing something. : : The problem is that you want gettext to substitute arguments into the : string, but it doesn't do that, and the string it returns has an unknown : number of format strings so it's not safe to use in a varargs function. 3) figure out how many args a string needs and forbid strings with more than that in them. It knows from the original number of % args, can apply the printf rules. It would be trivial to write one function to do must of this. You get the number of args in the key, you get the number of args in the new string using the same routine. If the two numbers aren't equal, you return the original key string, or abort. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message