[Python-Dev] PyErr_Format security note

[Guido van Rossum]

> I noticed this in PyErr_Format(exception, format, va_alist):
> 
> 	char buffer[500]; /* Caller is responsible for limiting the format */
> 	...
> 	vsprintf(buffer, format, vargs);
> 
> Making the caller responsible for this is error-prone.

Agreed.  The limit of 500 chars, while technically undocumented, is
part of the specs for PyErr_Format (which is currently wholly
undocumented).  The current callers all have explicit precautions, but
of course I agree that this is a potential danger.

> The danger, of
> course, is a buffer overflow caused by generating an error string
> that's larger than the buffer, possibly letting people execute
> arbitrary code.  We could add a test to the configure script for
> vsnprintf() and use it when possible, but that only fixes the problem
> on platforms which have it.  Can we find an implementation of
> vsnprintf() someplace?

Assuming that Linux and Solaris have vsnprintf(), can't we just use
the configure script to detect it, and issue a warning blaming the
platform for those platforms that don't have it?  That seems much
simpler (from a maintenance perspective) than carrying our own
implementation around (even if we can borrow the Apache version).

--Guido van Rossum (home page: http://www.python.org/~guido/)