[Python-Dev] strncpy
Greg Stein
gstein@lyra.org
Thu, 13 Jul 2000 01:54:25 -0700
On Thu, Jul 13, 2000 at 01:07:30AM -0500, Paul Prescod wrote:
>...
> > Easy but tedious to
> > fix (e.g., #define the buf length, and use runtime code in
> > conjunction with strncpy to guarantee buf's bounds are respected).
>
> Let me suggest two non-tedious solutions so you can shoot them down:
>
> 1.
>
> sprintf(buf, "Local variable referenced "
> "before assignment: %.128s",
> namestr);
>
> Rationale: if you don't know what variable I'm talking about after 128
> characters, you've got bigger problems than I can help with. I see this
> solution elsewhere in the code.
>
> 2.
>
> Add an implementation of snprintf to our code and fix the other hundred
> or so sprintf occurrences to use it. Most of them are safe but it
> couldn't hurt to pass cleanly through those heuristic security checkers
>
> Here's one:
>
> http://www.ijs.si/software/snprintf/
>
> And there is one in Apache.
Actually, I looked into this a few months ago. There isn't a need to bulk up
Python with a complete snprintf() solution. We really only use a couple
format codes for generating error strings. Please see my note at:
http://www.python.org/pipermail/python-dev/2000-April/010051.html
Cheers,
-g
--
Greg Stein, http://www.lyra.org/