[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-tar] Format-string warnings in 1.26
|
From: |
Paul Eggert |
|
Subject: |
Re: [Bug-tar] Format-string warnings in 1.26 |
|
Date: |
Thu, 28 Jul 2011 23:30:41 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11 |
On 07/28/11 23:04, Daniel Macks wrote:
> It's a valid concern when the string being fed comes from a gettext
> translation
> (or really anything else that derives from user-controllable data).
The comment in parentheses is valid, but the comment
about gettext is not. If gettext is vulnerable to the
kind of manipulation you're suggesting, then GNU tar
is vulnerable even with the patches you sent in.
For example, there's no point to changing this line:
fprintf (stderr, _("Valid arguments are:"));
while leaving this line alone:
fprintf (stdlis, _(" link to %s\n"), quotearg (st->link_name));
Any gettext-based attack that would work against the former, would
also work against the latter, and since we cannot change the latter
there's little point to cluttering up the code by changing
the former.
The proper way to address this concern lies within
gettext, not within every application that uses gettext.
Gettext can and should refuse to return a translation that is
printf-wise incompatible with the untranslated string.
NU gettext does this sort of checking, and that should be
good enough. If it isn't, please let us know,
so that we can fix GNU gettext.