Front page | perl.perl5.porters |
Postings from December 2005
On Tue, 06 Dec 2005, Gisle Aas wrote: > "Jan Dubois" <jand@ActiveState.com> writes: > > > For backward compatibility reasons people should not rely > > on this change, so I would not document it at all. > > I still think it should be documented. I applied change #26277 to > address your concern. It goes like this: I think you should mention that in earlier versions of Perl a "hostile formatting sequence" can trigger a security vulnerability by causing a buffer overrun. To me the paragraph below still mostly reads as if you are trying to protect older Syslog versions from producing garbled log entries, not from being the victim of a security exploit. Cheers, -Jan > Index: perl/ext/Sys/Syslog/Syslog.pm > --- perl/ext/Sys/Syslog/Syslog.pm.~1~ Tue Dec 6 16:41:40 2005 > +++ perl/ext/Sys/Syslog/Syslog.pm Tue Dec 6 16:41:40 2005 > @@ -77,6 +77,14 @@ > guess the I<$ident> by extracting the shortest prefix of I<$format> > that ends in a ":". > > +Note that Sys::Syslog version v0.07 and older passed the $message as > +the formatting string to sprintf() even when no formatting arguments > +where provided. If the code calling syslog() might execute with older > +versions of this module, make sure to call the function as > +syslog($priority, "%s", $message) instead of syslog($priority, > +$message). This protects against hostile formatting sequences that > +might show up if $message contains tainted data. > + > =item setlogmask $mask_priority > > Sets log mask I<$mask_priority> and returns the old mask. > End of Patch.Thread Previous | Thread Next