> In message <[EMAIL PROTECTED]> "John Doh!" writes:
> : Issue is must be getting format string from "untrusted" place, but want to
> : limit substitution of %... to the substitution of say in example the
> : argv[0], but to not do others so that say given "usage: %s filename %p" %p
> : not int
> Hello to you am I C coder who to wish write programs we cannot exploit via
> code such as below.
>
> >
> > main(int argc, char **argv)
> > {
> > if(argc > 1) {
> > printf(gettext("usage: %s filename\n"),argv[0]);
> > exit(0);
> >}
> >printf("normal execution proceed
At 6:27 PM -0400 9/7/00, John Doh! wrote:
>Hello to you am I C coder who to wish write programs we cannot
>exploit via code such as below.
>
>>
>> main(int argc, char **argv)
>> {
>> if(argc > 1) {
>> printf(gettext("usage: %s filename\n"),argv[0]);
>> exit(0);
>> }
>> printf("normal
On Fri, 8 Sep 2000, Jan Knepper wrote:
> I don't know what you are doing with the 'gettext' in the call to 'printf'.
Translate the string into a localized version. You can't just printf("%s",
gettext(...), args) because the arguments won't be printed, only the raw
string returned from gettext wi
In message <[EMAIL PROTECTED]> Kris
Kennaway writes:
: It also needs to check they are all of the same type, as changing a %d to
: a %s for example could conceivably be exploitable. And you would have to
: forbid escaped % characters as well. Yeah, I think that would be
: doable. We probably shou
However for just displaying strings I would use puts or fputs. I mean why call a
heavy duty function as printf when the job can be very easily done with a
puts/fputs.
HTH
Jan
"John Doh!" wrote:
> >From: Alfred Perlstein <[EMAIL PROTECTED]>
> >To: John Doh! <[EMA
On Thu, 7 Sep 2000, Warner Losh wrote:
> In message <[EMAIL PROTECTED]> Kris
>Kennaway writes:
> : gettext() doesnt take any additional arguments, AFAIK it just munges the
> : string. The argument substitution was being done by printf() in the
> : example given.
>
> Right. You know how many ar
In message <[EMAIL PROTECTED]> Kris
Kennaway writes:
: gettext() doesnt take any additional arguments, AFAIK it just munges the
: string. The argument substitution was being done by printf() in the
: example given.
Right. You know how many args are expected, since you know printf.
: The only p
On Thu, 7 Sep 2000, Warner Losh wrote:
> In message <[EMAIL PROTECTED]> "John Doh!" writes:
> : Issue is must be getting format string from "untrusted" place, but want to
> : limit substitution of %... to the substitution of say in example the
> : argv[0], but to not do others so that say given
In message <[EMAIL PROTECTED]> "John Doh!" writes:
: Issue is must be getting format string from "untrusted" place, but want to
: limit substitution of %... to the substitution of say in example the
: argv[0], but to not do others so that say given "usage: %s filename %p" %p
: not interpret but
>From: Alfred Perlstein <[EMAIL PROTECTED]>
>To: John Doh! <[EMAIL PROTECTED]>
>CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
>Subject: Re: How to stop problems from printf
>Date: Thu, 7 Sep 2000 19:33:14 -0700
>
>* John Doh! <[EMAIL PROTECTED]> [000907 19:2
* John Doh! <[EMAIL PROTECTED]> [000907 19:28] wrote:
> Hello to you am I C coder who to wish write programs we cannot exploit via
> code such as below.
>
> >
> > main(int argc, char **argv)
> > {
> > if(argc > 1) {
> > printf(gettext("usage: %s filename\n"),argv[0]);
> > exi
Hello to you am I C coder who to wish write programs we cannot exploit via
code such as below.
>
> main(int argc, char **argv)
> {
> if(argc > 1) {
> printf(gettext("usage: %s filename\n"),argv[0]);
> exit(0);
>}
>printf("normal execution proceeds...\n");
> }
Issue
13 matches
Mail list logo
