[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] Syslog string protection error

From: Peter Bex
Subject: Re: [Chicken-users] Syslog string protection error
Date: Thu, 8 Dec 2011 10:53:01 +0100
User-agent: Mutt/

On Thu, Dec 08, 2011 at 10:49:04AM +0100, Vok Vojwo wrote:
> The code of the syslog egg uses
>     syslog(prio,\"%s\",msg);
> to send the message. On Linux the above code is about 30% slower than this:
>     syslog(prio, msg);

And it's also completely wrong and insecure.  If you pass in a string
containing percent signs, the code will crash, and if the string is
constructed from user input, this can be exploited.  Same as for printf.

"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
                                                        -- Donald Knuth

reply via email to

[Prev in Thread] Current Thread [Next in Thread]