Date: Thu, 07 Sep 2000 21:52:03 -0600 From: Warner Losh <imp@village.org> To: Kris Kennaway <kris@FreeBSD.org> Cc: John Doh! <johndoh_@hotmail.com>, security@FreeBSD.org, hackers@FreeBSD.org Subject: Re: How to stop problems from printf Message-ID: <200009080352.VAA51001@harmony.village.org> In-Reply-To: Your message of "Thu, 07 Sep 2000 20:21:15 PDT." <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org> References: <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org> Kris Kennaway writes: : gettext() doesnt take any additional arguments, AFAIK it just munges the : string. The argument substitution was being done by printf() in the : example given. Right. You know how many args are expected, since you know printf. : The only possibilities I immediately see are: : : 1) Don't do that (look up in untrusted catalogs) : : 2) Write a vgettext(char *buf, int size, const char *fmt...) which a) : looks up the message in the catalog, b) verifies the returned string has : the same number and type of format strings, and c) substitutes the : arguments passed to it using vsnprintf() into the passed buffer. The : resulting string should then be handled using function("%s", buf) to deal : with escaped format strings ("%%s" which would be parsed to %s by the : vsnprintf()). I don't think you can do it securely otherwise, unless I'm : missing something. : : The problem is that you want gettext to substitute arguments into the : string, but it doesn't do that, and the string it returns has an unknown : number of format strings so it's not safe to use in a varargs function. 3) figure out how many args a string needs and forbid strings with more than that in them. It knows from the original number of % args, can apply the printf rules. It would be trivial to write one function to do must of this. You get the number of args in the key, you get the number of args in the new string using the same routine. If the two numbers aren't equal, you return the original key string, or abort. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009080352.VAA51001>