[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-users] Syslog string protection error
From: |
Peter Bex |
Subject: |
Re: [Chicken-users] Syslog string protection error |
Date: |
Thu, 8 Dec 2011 10:53:01 +0100 |
User-agent: |
Mutt/1.4.2.3i |
On Thu, Dec 08, 2011 at 10:49:04AM +0100, Vok Vojwo wrote:
> The code of the syslog egg uses
>
> syslog(prio,\"%s\",msg);
>
> to send the message. On Linux the above code is about 30% slower than this:
>
> syslog(prio, msg);
And it's also completely wrong and insecure. If you pass in a string
containing percent signs, the code will crash, and if the string is
constructed from user input, this can be exploited. Same as for printf.
Cheers,
Peter
--
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
is especially attractive, not only because it can be economically
and scientifically rewarding, but also because it can be an aesthetic
experience much like composing poetry or music."
-- Donald Knuth