From: Hoehle, Joerg-C. <Joe...@t-...> - 2006-01-03 10:23:39
|
Sam Steingold wrote: >the only arguments for your patch I can think of is [2 reasons] And those are reason enough, don't you think? >how is the syslog way more dangerous? >- user expectations: special handling of % may be surprising That's the answer already. Application programmers may log user-given input, e.g. URL's. Thus specially crafted URL's can cause the application to crash. That's a very typical software vulnerability. Telling the application programmer that he needs (loop for pos = (position #\% output-for-syslog) ; either that or turn % to %%: do (ecase (char output (1+ pos) ((#\% #\m) t))) would be way stupid, given that there's no way to make use of %s etc. in the interface the module provides so far. My %s patch provides a no-surprise and robust interface to the syslog facility. Please scan the CERT vulnerabilities. You will find exactly this patch in other packages. That's, BTW, how I came to look into the syscalls package. > OTOH, what if the user uses some foreign calls? > then he should have errno available as a foreign thing as well. Already there in the linux module (you may wish to duplicate it in posix?). So I think that the next urgent thing is to fix the security gap. Too bad that clisp-2.37 is out in the meantime. It would have been a perfect match: the hypothetical CERT message would have said "fixed in 2.37, please upgrade". Regards, Jorg Hohle |