[15942] in bugtraq
Re: StackGuard with ... Re: [Paper] Format bugs.
daemon@ATHENA.MIT.EDU (Linus Akesson)
Mon Jul 24 21:19:35 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0007242319110.235-100000@localhost>
Date: Mon, 24 Jul 2000 23:35:43 +0000
Reply-To: Linus Akesson <lairfight@SOFTHOME.NET>
From: Linus Akesson <lairfight@SOFTHOME.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10007232021300.1562-100000@Mixter.2xs.co.il>
In accordance with the prophecy, mixter@2XS.CO.IL uttered:
> (snip)
> It is a bad idea to have any format functions accept format strings
> that aren't hard coded at compile time. All these functions need to have
> one format argument at one location, which definitely needs to be a hard-coded
> string, (using and enforcing const). Per definition, it is arguably possible
> to supply variable format strings in a program, but it is rarely practically
> used, and it shouldn't be practically used. At least, when supplying any format
> function a non-constant format argument, the compiler should spit out a big
> warning, and it should do that by default without warnings enabled.
But non-constant format arguments aren't evil; They are very useful in e.g.
program localization:
printf(getTranslatedMessage(MSG_SYNTAX), argument1);
instead of:
if(english)
printf("Syntax error in %s!\n", argument1);
if(swedish)
printf("Allan tar kakan i %s baud.\n", argument1);
The second version uses constant format strings, but involves editing the
source code at lots of places all over the source tree (and recompiling) just
to translate the program to another language. The first version would keep all
the locale routines centralized around the getTranslatedMessage() interface,
which might even read format strings from an external text file.
Obviously, such an external text file could contain invalid format strings, so
a secure program would need to check permissions on it. It would be possible
to fall back to hardcoded language strings, but then they wouldn't have to be
all over the source code & make it unreadibly clumsy and if{}-overpopulated.
Conclusion: Trust your own routines that return strings. Distrust user input.
Don't tell them apart by checking whether or not they are string constants.
Linus
----------------------------------------------------------------------------
The more corrupt the state, the more numerous the laws.
-- Tacitus, 56-120 A.D.
----------------------------------------------------------------------------
