Date: Thu, 7 Sep 2000 19:33:14 -0700 From: Alfred Perlstein <bright@wintelcom.net> To: John Doh! <johndoh_@hotmail.com> Cc: security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf Message-ID: <20000907193314.B12231@fw.wintelcom.net> In-Reply-To: <F159yCTr9rf3yXvEbjk00001dc1@hotmail.com>; from johndoh_@hotmail.com on Thu, Sep 07, 2000 at 06:27:57PM %2B0000 References: <F159yCTr9rf3yXvEbjk00001dc1@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* John Doh! <johndoh_@hotmail.com> [000907 19:28] wrote:
> Hello to you am I C coder who to wish write programs we cannot exploit via
> code such as below.
>
> >
> > main(int argc, char **argv)
> > {
> > if(argc > 1) {
> > printf(gettext("usage: %s filename\n"),argv[0]);
> > exit(0);
> > }
> > printf("normal execution proceeds...\n");
> > }
>
> Issue is must be getting format string from "untrusted" place, but want to
> limit substitution of %... to the substitution of say in example the
> argv[0], but to not do others so that say given "usage: %s filename %p" %p
> not interpret but to be print instead as literally so we get output of
> (saying to be argv[0] as test just for example) usage: test filename %p
>
> any hints you have I am very greatful for.
try "%%p"
-Alfred
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000907193314.B12231>