|
Vulnerability Development
mailing list archives
Re: About the format bugs thread...
From: 11a () GMX NET (Bluefish)
Date: Tue, 11 Jul 2000 23:33:00 +0200
Yesterday I was thinking about the format bugs thread, and...
Isn't the problem solved if I use a fixed version of the *printf family ?
I mean, so many new vulnerabilities regarding to this problem, when the REAL
fix is so easy. Why should we patch every new program, when it is enough to
patch the *printf functions.
The "formating bugs" are not a bug in printf, it's a really, really bad
example of how bad programming. When I first heard of it, I didn't
understand the issue. Neither did our moderator, Blue Boar. And I tried to
explain it to some friends of mine, and it took a while. Was it hard to
understand how it works? no. But it was pretty hard to grasp that such
silly coding actually exists. (I assume the coders didn't drink their
coffee ;)
There is hardly a need for fixing printf because of this bug. Just about
every programming book on C explains how printf works. If you don't use
the function in the way you're supposed to, you get what you do;
weirdness.
I don't think printf is bug-prone. Although I like java and other
languages with a civilized string handling, printf isn't a problem. But
several other parts of C are ;)
Maybe the problem is some POSIX or ANSI C standar that doesn't allow changes
in *printf family, or something like that... ?
printf(somethingtheusersentme) is a rather undocumented feature which I
really would NOT call ANSI-C complaint code. printf is powerfull because
it is really simple to (among other things) create multi-language
code with it. That's a good reason to let it remain as it is. All you need
to do to be safe is to simply use printf("%s",somethingtheusersentme)
..:::::::::::::::::::::::::::::::::::::::::::::::::..
http://www.11a.nu || http://bluefish.11a.nu
eleventh alliance development & security team
 By Date 
By Thread
Current thread:
| 
Intro
