Re: [gtk-list] Re: Need help

"Rodrigo Moya" <Moya_Rodrigo/> writes:

> >Is there any way to pass arguments to the Xclient program in the system()
> >function call?  Or is there other way to do the same thing?
> >
> Try:
>     sprintf(command, "tgif %s", variable);
>     system(command);

No, don't do that or Alan Cox will eat you alive.  Use g_strdup_printf
or g_snprintf from glib.

The reason is that sprintf does not check for buffer overruns.  That
is, with a suitably long string in variable, you will step out of the
space allocated to command and overwrite innocent memory.  Such a bug
can often be exploited to trick your program into executing random
code which is bad from a security point of view.  But even generally,
it is of course a bad thing to not do proper range checking.  When you
are using system you have probably lost your security anyway.

But I think it's important to start using the right tools right from
the beginning.  So don't ever use sprintf.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]