Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re^3: use of print f and sprint f

by chb (Deacon)
on Nov 10, 2004 at 14:06 UTC ( [id://406673]=note: print w/replies, xml ) Need Help??


in reply to Re^2: use of print f and sprint f
in thread use of print f and sprint f

Hm, does this vulnerability really exist in perl? perldoc -f sprintf says perl uses its own formatting (just emulating libc's sprintf). The only exception are floating point numbers (with standard modifiers). I am not a security expert, but maybe someone who is (or someone who has digested the whole linked article) can tell if perl is really vulnerable here.

Replies are listed 'Best First'.
Re^4: use of print f and sprint f
by ikegami (Patriarch) on Nov 10, 2004 at 14:41 UTC

    yes, perl is vulnerable. (There's a "but" explained below.) We can see it that it's vulnerable here:

    $f = "%%%%"; printf("$f\n");

    If perl wasn't vulnerable, it would display %%%% instead of %%. However, the vulnerability cannot be exploited. Perl's version of the (s)printf functions will not clobber the stack if the numbre or replaceables does not match the number of the arguments. What you'll get is incorrectly formatted data (which could possibly be used to exploit something else), but that's it.

      cannot be exploited
      Depends on what you mean, I guess.. Check out the perldoc, and look at the %n format. You can set values.
      %n special: *stores* the number of characters output so far into the next variable in the parameter list
      Suppose I have the following code:
      my $name = ...; ## from user input my $amount = ...; printf "$name : \$%.02f\n", $amount; # instead of # printf "%s : \$%.02f\n", $name, $amount;
      Now, if a clever hacker goes in and inputs
      $name = (" " x 5000) . "%n";
      then after the code runs, $amount will be set to 5000. This is a pretty rare set of circumstances, but still something to watch out for.

      Update: see also Re: $#="%c"; possible bug

      blokhead

      I'm sorry, but I don't understand what your point could possibly be. The documentation states that the first parameter to printf is expected to be a string with placeholders that begin with % and that you should use %% when you want an explicit %. Your assertion that it should print %%%% does not follow from anything in the documentation. Perhaps I'm missing something so could you please explain yourself a little better?

        We were talking about using:
        printf("$l, $j, %.3f ...\n", $Hx, ...);
        rather than
        printf("%s, %s, %.3f ...\n", $l, $j, $Hx, ...);
        and the question was whether the first one was unsafe.

        My snippet demonstrated that escapes inside $l do get processed by printf (which to me is obvious) and therefore printf is subject to coersion by the user ("vulnerable") if the first method is used. It's not as vulnerable as C version, but it's still dangerous.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://406673]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others pondering the Monastery: (4)
As of 2024-04-19 04:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found