Date: Thu, 7 Sep 2000 20:57:07 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Warner Losh <imp@village.org> Cc: John Doh! <johndoh_@hotmail.com>, security@FreeBSD.org, hackers@FreeBSD.org Subject: Re: How to stop problems from printf Message-ID: <Pine.BSF.4.21.0009072054310.73211-100000@freefall.freebsd.org> In-Reply-To: <200009080352.VAA51001@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Sep 2000, Warner Losh wrote:
> In message <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org> Kris Kennaway writes:
> : gettext() doesnt take any additional arguments, AFAIK it just munges the
> : string. The argument substitution was being done by printf() in the
> : example given.
>
> Right. You know how many args are expected, since you know printf.
>
> : The only possibilities I immediately see are:
> :
> : 1) Don't do that (look up in untrusted catalogs)
> :
> : 2) Write a vgettext(char *buf, int size, const char *fmt...) which a)
> : looks up the message in the catalog, b) verifies the returned string has
> : the same number and type of format strings, and c) substitutes the
> : arguments passed to it using vsnprintf() into the passed buffer. The
> : resulting string should then be handled using function("%s", buf) to deal
> : with escaped format strings ("%%s" which would be parsed to %s by the
> : vsnprintf()). I don't think you can do it securely otherwise, unless I'm
> : missing something.
> :
> : The problem is that you want gettext to substitute arguments into the
> : string, but it doesn't do that, and the string it returns has an unknown
> : number of format strings so it's not safe to use in a varargs function.
>
> 3) figure out how many args a string needs and forbid strings with
> more than that in them. It knows from the original number of
> % args, can apply the printf rules. It would be trivial to write
> one function to do must of this. You get the number of args in the
> key, you get the number of args in the new string using the same
> routine. If the two numbers aren't equal, you return the original
> key string, or abort.
It also needs to check they are all of the same type, as changing a %d to
a %s for example could conceivably be exploitable. And you would have to
forbid escaped % characters as well. Yeah, I think that would be
doable. We probably should talk to the gnu gettext guys.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009072054310.73211-100000>