Boost logo

Boost :

Subject: Re: [boost] Review - boost::log
From: Vladimir Prus (ghost_at_[hidden])
Date: 2010-03-14 17:50:55

On Sunday 14 March 2010 23:37:06 Scott McMurray wrote:

> On 14 March 2010 15:21, Tom Brinkman <reportbase2007_at_[hidden]> wrote:
> >> The printf style parameters is responsible for thousands and thousands of
> >> security vulnerabilities.
> >
> > Just plain wrong.
> >
> Some evidence for your position would be good, since it's trivial to
> find documentation of holes from printf-style parameters:

I don't think that's hole from printf-style parameters. By reading that
page it's trivial to notice that it's the %n format specifier -- which
actually writes something into program -- is the key component of attack.
Clearly a printf-like function that does not support any way to modify
program state is safe. Am I missing something?


Boost list run by bdawes at, gregod at, cpdaniel at, john at