Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re: use of print f and sprint f

by busunsl (Vicar)
on Nov 10, 2004 at 12:16 UTC ( #406656=note: print w/ replies, xml ) Need Help??


in reply to use of print f and sprint f

Have a look at the dokumentation of printf:

perldoc -f sprintf

You need a format string to format your values. You can try something like this:

printf "$l, $j, %.3f, %.3f, %.3f, %.3f\n", $Hx, $Hy, $Hxy, $mutual;


Comment on Re: use of print f and sprint f
Select or Download Code
Re^2: use of print f and sprint f
by gellyfish (Monsignor) on Nov 10, 2004 at 13:32 UTC

    You should probably get into the habit of avoiding the interpolation of unchecked variables directly into the format string of (s)printf (as with $l and $j here) as a general rule - there has been some concern over the last few years about Format String vulnerabilities, and whilst it is not a flaw in Perl itself the underlying C libraries could potentially be vulnerable.

    /J\

      Hm, does this vulnerability really exist in perl? perldoc -f sprintf says perl uses its own formatting (just emulating libc's sprintf). The only exception are floating point numbers (with standard modifiers). I am not a security expert, but maybe someone who is (or someone who has digested the whole linked article) can tell if perl is really vulnerable here.

        yes, perl is vulnerable. (There's a "but" explained below.) We can see it that it's vulnerable here:

        $f = "%%%%"; printf("$f\n");

        If perl wasn't vulnerable, it would display %%%% instead of %%. However, the vulnerability cannot be exploited. Perl's version of the (s)printf functions will not clobber the stack if the numbre or replaceables does not match the number of the arguments. What you'll get is incorrectly formatted data (which could possibly be used to exploit something else), but that's it.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://406656]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (5)
As of 2014-08-30 22:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (294 votes), past polls