Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much

Re: use of print f and sprint f

by busunsl (Vicar)
on Nov 10, 2004 at 12:16 UTC ( #406656=note: print w/replies, xml ) Need Help??

in reply to use of print f and sprint f

Have a look at the dokumentation of printf:

perldoc -f sprintf

You need a format string to format your values. You can try something like this:

printf "$l, $j, %.3f, %.3f, %.3f, %.3f\n", $Hx, $Hy, $Hxy, $mutual;

Replies are listed 'Best First'.
Re^2: use of print f and sprint f
by gellyfish (Monsignor) on Nov 10, 2004 at 13:32 UTC

    You should probably get into the habit of avoiding the interpolation of unchecked variables directly into the format string of (s)printf (as with $l and $j here) as a general rule - there has been some concern over the last few years about Format String vulnerabilities, and whilst it is not a flaw in Perl itself the underlying C libraries could potentially be vulnerable.


      Hm, does this vulnerability really exist in perl? perldoc -f sprintf says perl uses its own formatting (just emulating libc's sprintf). The only exception are floating point numbers (with standard modifiers). I am not a security expert, but maybe someone who is (or someone who has digested the whole linked article) can tell if perl is really vulnerable here.

        yes, perl is vulnerable. (There's a "but" explained below.) We can see it that it's vulnerable here:

        $f = "%%%%"; printf("$f\n");

        If perl wasn't vulnerable, it would display %%%% instead of %%. However, the vulnerability cannot be exploited. Perl's version of the (s)printf functions will not clobber the stack if the numbre or replaceables does not match the number of the arguments. What you'll get is incorrectly formatted data (which could possibly be used to exploit something else), but that's it.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://406656]
and the sunlight beams...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (6)
As of 2018-06-18 22:23 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (111 votes). Check out past polls.