in reply to Re: use of print f and sprint f
in thread use of print f and sprint f

You should probably get into the habit of avoiding the interpolation of unchecked variables directly into the format string of (s)printf (as with $l and $j here) as a general rule - there has been some concern over the last few years about Format String vulnerabilities, and whilst it is not a flaw in Perl itself the underlying C libraries could potentially be vulnerable.

/J\

Replies are listed 'Best First'.
Re^3: use of print f and sprint f
by chb (Deacon) on Nov 10, 2004 at 14:06 UTC
    Hm, does this vulnerability really exist in perl? perldoc -f sprintf says perl uses its own formatting (just emulating libc's sprintf). The only exception are floating point numbers (with standard modifiers). I am not a security expert, but maybe someone who is (or someone who has digested the whole linked article) can tell if perl is really vulnerable here.
[reply]
[d/l]

      yes, perl is vulnerable. (There's a "but" explained below.) We can see it that it's vulnerable here:

      $f = "%%%%";
printf("$f\n");

      [download]

      If perl wasn't vulnerable, it would display %%%% instead of %%. However, the vulnerability cannot be exploited. Perl's version of the (s)printf functions will not clobber the stack if the numbre or replaceables does not match the number of the arguments. What you'll get is incorrectly formatted data (which could possibly be used to exploit something else), but that's it.

[reply]
[d/l]
        cannot be exploited
        Depends on what you mean, I guess.. Check out the perldoc, and look at the %n format. You can set values. 
           %n   special: *stores* the number of characters output so far
        into the next variable in the parameter list

        [download]
        Suppose I have the following code: 
        my $name   = ...; ## from user input
my $amount = ...;

printf "$name : \$%.02f\n", $amount;

# instead of
# printf "%s : \$%.02f\n", $name, $amount;

        [download]
        Now, if a clever hacker goes in and inputs 
        $name = (" " x 5000) . "%n";

        [download]
        then after the code runs, $amount will be set to 5000. This is a pretty rare set of circumstances, but still something to watch out for.

        Update: see also Re: $#="%c"; possible bug

        blokhead

[reply]
[d/l]
[select]

        I'm sorry, but I don't understand what your point could possibly be. The documentation states that the first parameter to printf is expected to be a string with placeholders that begin with % and that you should use %% when you want an explicit %. Your assertion that it should print %%%% does not follow from anything in the documentation. Perhaps I'm missing something so could you please explain yourself a little better?

[reply]

In Section Seekers of Perl Wisdom