Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Format string vulnerabilities
Posted Feb 5, 2012 22:25 UTC (Sun) by k8to (subscriber, #15413)
It's better than expecting that the program's name will always match the compiled-in name.
Sure, you get a new input vector, but that text is in your program anyway, and will be evaluated by some code you didn't write. I'm not convinced this is a real problem. Patterns where you allow program generated text to be used as a format string really should be either not used or very very carefully audited.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds