Re: [Chicken-users] Syslog string protection error

chicken-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] Syslog string protection error

From:	Peter Bex
Subject:	Re: [Chicken-users] Syslog string protection error
Date:	Thu, 8 Dec 2011 10:53:01 +0100
User-agent:	Mutt/1.4.2.3i

On Thu, Dec 08, 2011 at 10:49:04AM +0100, Vok Vojwo wrote:
> The code of the syslog egg uses
> 
>     syslog(prio,\"%s\",msg);
> 
> to send the message. On Linux the above code is about 30% slower than this:
> 
>     syslog(prio, msg);

And it's also completely wrong and insecure.  If you pass in a string
containing percent signs, the code will crash, and if the string is
constructed from user input, this can be exploited.  Same as for printf.

Cheers,
Peter
-- 
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
                                                        -- Donald Knuth

[Prev in Thread]

Current Thread

[Next in Thread]

[Chicken-users] Syslog string protection error, Vok Vojwo, 2011/12/08
- Re: [Chicken-users] Syslog string protection error, Vok Vojwo, 2011/12/08
  - Re: [Chicken-users] Syslog string protection error, Peter Bex <=
  - Re: [Chicken-users] Syslog string protection error, Vok Vojwo, 2011/12/08

Prev by Date: Re: [Chicken-users] Syslog string protection error
Next by Date: Re: [Chicken-users] Syslog string protection error
Previous by thread: Re: [Chicken-users] Syslog string protection error
Next by thread: Re: [Chicken-users] Syslog string protection error
Index(es):
- Date
- Thread