Re: gettext 0.16 vs 0.14.6

To: Alan Barrett <apb%cequrux.com@localhost>
Subject: Re: gettext 0.16 vs 0.14.6
From: David Laight <david%l8s.co.uk@localhost>
Date: Sun, 20 Jul 2008 21:37:24 +0100

On Fri, Jul 18, 2008 at 03:45:29PM +0200, Alan Barrett wrote:
> On Fri, 18 Jul 2008, Greg Troxel wrote:
> > I read the NEWS for gettext 0.17, and it didn't say anything about
> > printf argument reordering.  Is that something specified in POSIX, or a
> > Linuxism, or something else?  I can see it being useful for
> > printing internationalized dates.
> 
> I don't know who did it first, but SUSv3 calls it an "XSI"
> option.  It's not in the C99 standard, or in NetBSD's libc.  See
> <http://www.opengroup.org/onlinepubs/009695399/functions/sprintf.html>,
> which uses internationalised dates as an example.

It is a right PITA to implement, I suspect the original implementation
assumed that all the stack could be treated as an array!

Taking format specifiers from text files is a security nightmare.
An incorrect format (and the code can't specify a dummy one with the
types of the argumemts) can not only crash the program (just use %s),
but, in many cases, overwrite arbitrary stack locations with arbitrary
(although usually relativly small) values (look up %n).

        David

-- 
David Laight: david%l8s.co.uk@localhost

References:
- gettext 0.16 vs 0.14.6
  - From: Greg Troxel
- Re: gettext 0.16 vs 0.14.6
  - From: Joerg Sonnenberger
- Re: gettext 0.16 vs 0.14.6
  - From: Greg Troxel
- Re: gettext 0.16 vs 0.14.6
  - From: Alan Barrett

Prev by Date: Re: Typo in devel/cpuflags/files/cpluflags.1 man page
Next by Date: Re: gettext 0.16 vs 0.14.6
Previous by Thread: Re: gettext 0.16 vs 0.14.6
Next by Thread: Re: gettext 0.16 vs 0.14.6
Indexes:

Home | Main Index | Thread Index | Old Index