Thu, 13 Jul 2000 12:37:21 +0200
"Barry A. Warsaw" wrote:
> >>>>> "PP" == Paul Prescod <email@example.com> writes:
> PP> Add an implementation of snprintf to our code and fix the
> PP> other hundred or so sprintf occurrences to use it. Most of
> PP> them are safe but it couldn't hurt to pass cleanly through
> PP> those heuristic security checkers
> PP> Here's one:
> PP> http://www.ijs.si/software/snprintf/
> PP> And there is one in Apache.
> And one in Mailman, ripped from GNU screen. Because it's GPL'd it's
> not appropriate for Python, but could serve as another source of
> inspiration. So far, of the platforms people try to run Mailman on,
> I've only found it necessary for Solaris 2.5.
Isn't there one in FreeBSD which we could use (Python's license
being very BSDish, this should be possible, I guess).
Anyway, I think most platforms have their own snprintf() in
the C lib, so the code would hardly ever be needed -- perhaps
its even safe to revert to sprintf() on those platforms via
a macro snprintf().
The reasoning here is simple: if the platform
doesn't provide it, it's quite possibly unsafe in a network
environment anyway, because many programs will use sprintf()
instead of snprintf() and thus won't do much buffer overflow
Python Pages: http://www.lemburg.com/python/