Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#74 syslog does not escape percent signs

closed-fixed
Mike Sperber
run-time (53)
5
2003-06-16
2003-05-29
Andreas Bernauer
No

----- Forwarded message from Peter Wang <tjaden@alphalink.com.
au> -----
(posted to scsh-news)
Hello, I'm not sure what to make of this. scsh segfaults if I ask the
SUnet web server for particularly-named files.

Here's the output from the server:

# ./start-web-server -h /var/www -c /var/www/cgi-bin -p 8000 -l
/var/log/httpd.log
[...]
syslogging activated.
zsh: segmentation fault ./start-web-server-via-image -h /var/www -c
/var/www/cgi-bin -p 8000 -l

Here's the request:

$ wget 'http://localhost:8000/1 Last Show'
--02:24:04-- http://localhost:8000/1%20Last%20Show
=> `1%20Last%20Show'
[...]
----- End forwarded message -----

I tracked this error down to the syslog facility. The problem is that
the syslog function seems not to escape the percent signs in the
syslog message. According to the man page the syslog message
string is formatted like a printf(3) string. On my Linux system the string
`1%20Last%20Show' contains a pointer to an array that is of course
not present and thus causes a segfault while calling syslog(3).

A solution may be to escape the message string before sending it
through the FFI (e.g. in scsh/syslog.scm)

The attached file contains a small scsh script that causes the scshvm
to segfault on both Linux and FreeBSD.

Discussion

  • Peter Wang
    Peter Wang
    2003-06-07

    Logged In: YES
    user_id=28616

    Just tell syslog(3) "%s" then? I can't find a way to attach
    here, so I'll just paste the patch (it's trivial anyway).

    --- syslog1.c.old Thu Mar 6 04:36:12 2003
    +++ syslog1.c Fri Jun 6 23:14:38 2003
    @@ -367,7 +367,7 @@

    if (!syslog_open)
    s48_raise_string_os_error("syslog isn't open");
    - syslog(facility | level, s48_extract_string (sch_message));
    + syslog(facility | level, "%s", s48_extract_string
    (sch_message));
    return S48_UNSPECIFIC;
    }

     
    • assigned_to: nobody --> sperber
    • status: open --> closed-fixed