apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Constructing a va_list?
Date Mon, 28 May 2007 12:15:00 GMT
I'm looking to implement a DBD driver with a library that
has no prepared statement support.  Having asked on its
developer list, they recommend using stored procedures

That means we lose the safety of passing in all user
input as data.  So in turn, we need to untaint it carefully.
I have a scheme for that, involving things like "%{regexp}s"
in a format string.  But this relies on constructing an
untainted list of args from a tainted one, then constructing
an SQL statement from the untainted arguments list.

Conceptually, I'm trying to do something like this:

char* safe_statement(apr_pool_t *pool, int nargs,
                     regex_t **taint, char *fmt, ...)
    va_list args;
    va_list newargs;
    va_start(args, fmt);
    for (i=0; i<nargs; i++) {
       char *val = va_arg(args, char*);
       char *newval = untaint(pool, taint[i], val);

       /* now conceptually set newargs[i] to newval */

    /* now pass the new args list to a normal vararg function */

    return apr_pvsprintf(pool, fmt, newargs);

but how to construct a va_list eludes me (and the nearest google
comes is "you can do it by dereferencing args in MSVC++ but that
fails in gcc").

Is there a way to do this?

Nick Kew

Application Development with Apache - the Apache Modules Book

View raw message