Front page | perl.perl5.porters |
Postings from December 2005
On Sat, 03 Dec 2005, Gisle Aas wrote: > I also think the following patch would be a good idea. Concerns? I think the code change is a good defensive measure, but the doc change is slightly dangerous: People using the fixed version of Syslog are assured by the docs that it is save to use a "tainted" $message as long as they don't specify any @args. But when they distribute this code to users running older versions of Perl they will expose them to the format string vulnerability. For backward compatibility reasons people should not rely on this change, so I would not document it at all. Cheers, -Jan > diff -ru perl-current/ext/Sys/Syslog/Syslog.pm perl-hack/ext/Sys/Syslog/Syslog.pm > --- perl-current/ext/Sys/Syslog/Syslog.pm 2005-08-31 17:44:06.000000000 +0200 > +++ perl-hack/ext/Sys/Syslog/Syslog.pm 2005-12-03 12:28:35.000000000 +0100 > @@ -65,10 +65,12 @@ > > B<You should use openlog() before calling syslog().> > > +=item syslog $priority, $message > + > =item syslog $priority, $format, @args > > -If I<$priority> permits, logs I<($format, @args)> > -printed as by C<printf(3V)>, with the addition that I<%m> > +If I<$priority> permits, logs C<$message> or C<sprintf($format, @args)>, > +with the addition that I<%m> in $message or $format > is replaced with C<"$!"> (the latest error message). > > If you didn't use openlog() before using syslog(), syslog will try to > @@ -320,7 +322,7 @@ > > $mask =~ s/(?<!%)%m/$!/g; > $mask .= "\n" unless $mask =~ /\n$/; > - $message = sprintf ($mask, @_); > + $message = @_ ? sprintf ($mask, @_) : $mask; > > $sum = $numpri + $numfac; > my $buf = "<$sum>$whoami: $message\0";Thread Previous | Thread Next