Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re^4: use of print f and sprint f

by ikegami (Pope)
on Nov 10, 2004 at 14:41 UTC ( #406683=note: print w/ replies, xml ) Need Help??


in reply to Re^3: use of print f and sprint f
in thread use of print f and sprint f

yes, perl is vulnerable. (There's a "but" explained below.) We can see it that it's vulnerable here:

$f = "%%%%"; printf("$f\n");

If perl wasn't vulnerable, it would display %%%% instead of %%. However, the vulnerability cannot be exploited. Perl's version of the (s)printf functions will not clobber the stack if the numbre or replaceables does not match the number of the arguments. What you'll get is incorrectly formatted data (which could possibly be used to exploit something else), but that's it.


Comment on Re^4: use of print f and sprint f
Download Code
Re^5: use of print f and sprint f
by !1 (Hermit) on Nov 10, 2004 at 16:44 UTC

    I'm sorry, but I don't understand what your point could possibly be. The documentation states that the first parameter to printf is expected to be a string with placeholders that begin with % and that you should use %% when you want an explicit %. Your assertion that it should print %%%% does not follow from anything in the documentation. Perhaps I'm missing something so could you please explain yourself a little better?

      We were talking about using:
      printf("$l, $j, %.3f ...\n", $Hx, ...);
      rather than
      printf("%s, %s, %.3f ...\n", $l, $j, $Hx, ...);
      and the question was whether the first one was unsafe.

      My snippet demonstrated that escapes inside $l do get processed by printf (which to me is obvious) and therefore printf is subject to coersion by the user ("vulnerable") if the first method is used. It's not as vulnerable as C version, but it's still dangerous.

Re^5: use of print f and sprint f
by blokhead (Monsignor) on Nov 10, 2004 at 16:50 UTC
    cannot be exploited
    Depends on what you mean, I guess.. Check out the perldoc, and look at the %n format. You can set values.
    %n special: *stores* the number of characters output so far into the next variable in the parameter list
    Suppose I have the following code:
    my $name = ...; ## from user input my $amount = ...; printf "$name : \$%.02f\n", $amount; # instead of # printf "%s : \$%.02f\n", $name, $amount;
    Now, if a clever hacker goes in and inputs
    $name = (" " x 5000) . "%n";
    then after the code runs, $amount will be set to 5000. This is a pretty rare set of circumstances, but still something to watch out for.

    Update: see also Re: $#="%c"; possible bug

    blokhead

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://406683]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (6)
As of 2014-09-21 07:40 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (167 votes), past polls