[Python-Dev] PyErr_Format security note
Jim Fulton
jim@digicool.com
Mon, 15 Nov 1999 11:29:13 -0500
"A.M. Kuchling" wrote:
>
> I noticed this in PyErr_Format(exception, format, va_alist):
>
> char buffer[500]; /* Caller is responsible for limiting the format */
> ...
> vsprintf(buffer, format, vargs);
>
> Making the caller responsible for this is error-prone. The danger, of
> course, is a buffer overflow caused by generating an error string
> that's larger than the buffer, possibly letting people execute
> arbitrary code. We could add a test to the configure script for
> vsnprintf() and use it when possible, but that only fixes the problem
> on platforms which have it. Can we find an implementation of
> vsnprintf() someplace?
I would prefer to see a different interface altogether:
PyObject *PyErr_StringFormat(errtype, format, buildformat, ...)
So, you could generate an error like this:
return PyErr_StringFormat(ErrorObject,
"You had too many, %d, foos. The last one was %s",
"iO", n, someObject)
I implemented this in cPickle. See cPickle_ErrFormat.
(Note that it always returns NULL.)
Jim
--
Jim Fulton mailto:jim@digicool.com Python Powered!
Technical Director (888) 344-4332 http://www.python.org
Digital Creations http://www.digicool.com http://www.zope.org
Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission. Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.