From owner-freebsd-hackers Fri Sep 8 12:38:36 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from mass.osd.bsdi.com (mass.osd.bsdi.com [204.216.28.234]) by hub.freebsd.org (Postfix) with ESMTP id 9211537B443; Fri, 8 Sep 2000 12:38:19 -0700 (PDT) Received: from mass.osd.bsdi.com (localhost [127.0.0.1]) by mass.osd.bsdi.com (8.9.3/8.9.3) with ESMTP id UAA00530; Thu, 7 Sep 2000 20:24:33 -0700 (PDT) (envelope-from msmith@mass.osd.bsdi.com) Message-Id: <200009080324.UAA00530@mass.osd.bsdi.com> X-Mailer: exmh version 2.1.1 10/15/1999 To: Warner Losh Cc: "John Doh!" , security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf In-reply-to: Your message of "Thu, 07 Sep 2000 20:59:18 MDT." <200009080259.UAA50393@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 07 Sep 2000 20:24:33 -0700 From: Mike Smith Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > In message "John Doh!" writes: > : Issue is must be getting format string from "untrusted" place, but want to > : limit substitution of %... to the substitution of say in example the > : argv[0], but to not do others so that say given "usage: %s filename %p" %p > : not interpret but to be print instead as literally so we get output of > : (saying to be argv[0] as test just for example) usage: test filename %p > : > : any hints you have I am very greatful for. > > Fix gettext to only allow N arguments in the same order that the > original message had. Typically you want to use positional arguments with printf so that your gettext responses can reorder things to get better results, but the same basically applies. -- ... every activity meets with opposition, everyone who acts has his rivals and unfortunately opponents also. But not because people want to be opponents, rather because the tasks and relationships force people to take different points of view. [Dr. Fritz Todt] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message