d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add warnings about trusting user-supplied data.

Browse Source 
Reviewed by:	ru
Approved by:	murray
Obtained from:	OpenBSD
This commit is contained in:
Eric Melville 2001-05-25 20:42:40 +00:00
parent fe95b46491
commit 2de2196026
3 changed files with 43 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/libc/gen/setproctitle.3
View File

@ -25,8 +25,7 @@
.Dt SETPROCTITLE 3
.Sh NAME
.Nm setproctitle
.Nd set the process title for
.Xr ps 1
.Nd set process title
.Sh SYNOPSIS
.Fd #include <sys/types.h>
.Fd #include <unistd.h>
@ -99,3 +98,17 @@ stole the idea from the
.Sy "Sendmail 8.7.3"
source code by
.An Eric Allman Aq eric@sendmail.org .
.Sh BUGS
Never pass a string with user-supplied data as a format without using
.Ql %s .
An attacker can put format specifiers in the string to mangle your stack,
leading to a possible security hole.
This holds true even if the string was built using a function like
.Fn snprintf ,
as the resulting string may still contain user-supplied conversion specifiers
for later interpolation by
.Fn setproctitle .
.Pp
Always use the proper secure idiom:
.Pp
.Dl setproctitle("%s", string);

14
lib/libc/gen/syslog.3
View File

@ -280,3 +280,17 @@ syslog(LOG_INFO|LOG_LOCAL2, "foobar error: %m");
These
functions appeared in
.Bx 4.2 .
.Sh BUGS
Never pass a string with user-supplied data as a format without using
.Ql %s .
An attacker can put format specifiers in the string to mangle your stack,
leading to a possible security hole.
This holds true even if the string was built using a function like
.Fn snprintf ,
as the resulting string may still contain user-supplied conversion specifiers
for later interpolation by
.Fn syslog .
.Pp
Always use the proper secure idiom:
.Pp
.Dl syslog("%s", string);

14
lib/libc/stdio/printf.3
View File

@ -664,3 +664,17 @@ For safety, programmers should use the
.Fn snprintf
interface instead.
Unfortunately, this interface is not portable.
.Pp
Never pass a string with user-supplied data as a format without using
.Ql %s .
An attacker can put format specifiers in the string to mangle your stack,
leading to a possible security hole.
This holds true even if the string was built using a function like
.Fn snprintf ,
as the resulting string may still contain user-supplied conversion specifiers
for later interpolation by
.Fn printf .
.Pp
Always use the proper secure idiom:
.Pp
.Dl snprintf(buffer, sizeof(buffer), "%s", string);