[Python-Dev] PyErr_Format security note
Guido van Rossum
guido@CNRI.Reston.VA.US
Mon, 15 Nov 1999 10:23:57 -0500
> I noticed this in PyErr_Format(exception, format, va_alist):
>
> char buffer[500]; /* Caller is responsible for limiting the format */
> ...
> vsprintf(buffer, format, vargs);
>
> Making the caller responsible for this is error-prone.
Agreed. The limit of 500 chars, while technically undocumented, is
part of the specs for PyErr_Format (which is currently wholly
undocumented). The current callers all have explicit precautions, but
of course I agree that this is a potential danger.
> The danger, of
> course, is a buffer overflow caused by generating an error string
> that's larger than the buffer, possibly letting people execute
> arbitrary code. We could add a test to the configure script for
> vsnprintf() and use it when possible, but that only fixes the problem
> on platforms which have it. Can we find an implementation of
> vsnprintf() someplace?
Assuming that Linux and Solaris have vsnprintf(), can't we just use
the configure script to detect it, and issue a warning blaming the
platform for those platforms that don't have it? That seems much
simpler (from a maintenance perspective) than carrying our own
implementation around (even if we can borrow the Apache version).
--Guido van Rossum (home page: http://www.python.org/~guido/)