Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 07 Sep 2000 21:52:03 -0600
From:      Warner Losh <imp@village.org>
To:        Kris Kennaway <kris@FreeBSD.org>
Cc:        John Doh! <johndoh_@hotmail.com>, security@FreeBSD.org, hackers@FreeBSD.org
Subject:   Re: How to stop problems from printf 
Message-ID:  <200009080352.VAA51001@harmony.village.org>
In-Reply-To: Your message of "Thu, 07 Sep 2000 20:21:15 PDT." <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org> 
References:  <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <Pine.BSF.4.21.0009072004570.65638-100000@freefall.freebsd.org> Kris Kennaway writes:
: gettext() doesnt take any additional arguments, AFAIK it just munges the
: string. The argument substitution was being done by printf() in the
: example given.

Right.  You know how many args are expected, since you know printf.

: The only possibilities I immediately see are:
: 
: 1) Don't do that (look up in untrusted catalogs)
: 
: 2) Write a vgettext(char *buf, int size, const char *fmt...) which a)
: looks up the message in the catalog, b) verifies the returned string has
: the same number and type of format strings, and c) substitutes the
: arguments passed to it using vsnprintf() into the passed buffer. The
: resulting string should then be handled using function("%s", buf) to deal
: with escaped format strings ("%%s" which would be parsed to %s by the
: vsnprintf()). I don't think you can do it securely otherwise, unless I'm
: missing something.
: 
: The problem is that you want gettext to substitute arguments into the
: string, but it doesn't do that, and the string it returns has an unknown
: number of format strings so it's not safe to use in a varargs function.

3) figure out how many args a string needs and forbid strings with
   more than that in them.  It knows from the original number of
   % args, can apply the printf rules.  It would be trivial to write
   one function to do must of this.  You get the number of args in the
   key, you get the number of args in the new string using the same
   routine.  If the two numbers aren't equal, you return the original
   key string, or abort.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009080352.VAA51001>