httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: svn commit: r1205894 - in /httpd/httpd/trunk: include/util_filter.h modules/cache/mod_cache.c server/util_filter.c
Date Sun, 27 Nov 2011 18:00:42 GMT

On Nov 27, 2011, at 11:33 AM, Stefan Fritsch wrote:
>> +            else {
>> +                va_list ap;
>> +                const char *res;
>> +                va_start(ap, fmt);
>> +                res = apr_pvsprintf(r->pool, fmt, ap);
>> +                va_end(ap);
>> +                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, res, NULL);
>> +            }
> 
> No, this is not right. If some caller passes arguments to ap_pass_brigade_fchk that may
cause the result of apr_pvsprintf to contain a "%", you would get a format-string vulnerability.
This could easily happen if some error message included the URL.
> 
> You must use
> 
>     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "%s", res);
> 
> intead.

Thx!
Mime
View raw message