Re: [gtk-list] Re: Need help

From: Marius Vollmer <mvo zagadka ping de>
To: gtk-list redhat com
Subject: Re: [gtk-list] Re: Need help
Date: 04 Jan 1999 16:23:49 +0100

"Rodrigo Moya" <Moya_Rodrigo/madrid_tecnologia@sinvest.es> writes:

> >Is there any way to pass arguments to the Xclient program in the system()
> >function call?  Or is there other way to do the same thing?
> >
> Try:
>     sprintf(command, "tgif %s", variable);
>     system(command);

No, don't do that or Alan Cox will eat you alive.  Use g_strdup_printf
or g_snprintf from glib.

The reason is that sprintf does not check for buffer overruns.  That
is, with a suitably long string in variable, you will step out of the
space allocated to command and overwrite innocent memory.  Such a bug
can often be exploited to trick your program into executing random
code which is bad from a security point of view.  But even generally,
it is of course a bad thing to not do proper range checking.  When you
are using system you have probably lost your security anyway.

But I think it's important to start using the right tools right from
the beginning.  So don't ever use sprintf.

Follow-Ups:
- Re: [gtk-list] Re: Need help
  - From: Johan Levin

References:
- Re: [gtk-list] Need help
  - From: Rodrigo Moya

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]