git.evergreen-ils.org Git - OpenSRF.git/commit

author	Dan Wells <dbw2@calvin.edu>
	Tue, 6 Mar 2012 20:08:33 +0000 (15:08 -0500)
committer	Dan Scott <dscott@laurentian.ca>
	Sat, 10 Mar 2012 04:25:08 +0000 (23:25 -0500)
commit	2e5c36e213292b802dcf17729ad705016892c99c
tree	60f183b5bd854c63a8f858b395c38d9bd3ef55de	tree
parent	7dbae240dd7dddaadf793d2d61118b96e0505bbd	commit \| diff

Protect gateway from format-string crashes in data

As a common security measure, printf-style formatting codes are
not allowed to be directly interpreted from a writable segment.
The gateway code currently has the following function call:

osrfLogActivity( OSRF_LOG_MARK, act->buf );

This is a variadic function which expects the 'act->buf' position
to contain a format string and any trailing arguments to be the
values passed to the formatter. Since act->buf is the value of
what we passed in, some data inadvertantly contains format strings,
and since it is a writable segment, the program crashes. Here is
an example of a crash-causing call:

http://localhost/osrf-gateway-v1?service=test&method=test&param=%22%251n%22

The param is interpreted as "%1n" and abruptly fails.

The simple solution is to include a formatter so that our param gets
demoted to being mere data, i.e.:

osrfLogActivity( OSRF_LOG_MARK, "%s", act->buf );

Signed-off-by: Dan Wells <dbw2@calvin.edu>
Signed-off-by: Dan Scott <dscott@laurentian.ca>