|
Boost : |
Subject: Re: [boost] Review - boost::log
From: Vladimir Prus (ghost_at_[hidden])
Date: 2010-03-14 17:50:55
On Sunday 14 March 2010 23:37:06 Scott McMurray wrote:
> On 14 March 2010 15:21, Tom Brinkman <reportbase2007_at_[hidden]> wrote:
> >> The printf style parameters is responsible for thousands and thousands of
> >> security vulnerabilities.
> >
> > Just plain wrong.
> >
>
> Some evidence for your position would be good, since it's trivial to
> find documentation of holes from printf-style parameters:
> http://en.wikipedia.org/wiki/Format_string_attack
I don't think that's hole from printf-style parameters. By reading that
page it's trivial to notice that it's the %n format specifier -- which
actually writes something into program -- is the key component of attack.
Clearly a printf-like function that does not support any way to modify
program state is safe. Am I missing something?
Thanks,
Volodya
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk