编写一个像 printf 这样的函数,它可以清理第一个参数之后的所有参数,使其摆脱 `%` 符号
[英]Write a function like printf, that can sanitize all arguments after the first to be free from the `%` symbol
问题描述
user_input = "%s%s%s%s%s%s%s%s";
printf("user input is: %s", user_input);
... crash! 
... 碰撞!
The above lines cause an error.以上几行会导致错误。 I want to write a function which can be used like printf but can sanitize all arguments after the first to make sure they do not contain the % symbol.我想编写一个函数,它可以像printf一样使用,但可以在第一个参数之后清理所有参数,以确保它们不包含%符号。 The function should be used like 'printf' in that it can take any number of arguments and it print outs a string in the same manner.该函数应该像 'printf' 一样使用,因为它可以接受任意数量的参数,并以相同的方式打印出一个字符串。 If the other arguments contain the % symbol, I just want that symbol taken out before it is put in the format string.如果其他参数包含%符号,我只希望在将其放入格式字符串之前取出该符号。
If this new function were called safe_printf , I would want the behavior to be like this:如果这个新函数被称为safe_printf ,我希望行为是这样的:
user_input = "%s%s%s%s%s%s%s%s";
safe_printf("user input is: %s, user_input);
user input is: ssssssss用户输入是:ssssssss
It seems like writing a function like this may not be possible, (I can't figure out how to preprocess the char *s in the va_list without knowing how many there are) if that's the case please let me know.似乎编写这样的函数可能是不可能的,(我不知道如何预处理 va_list 中的 char *s 而不知道有多少),如果是这种情况,请告诉我。 Thanks!谢谢!
1 个解决方案
解决方案1
-1 2016-09-28 02:11:54
The string formatting vulnerability exists if user provided input is passed to the printf(3) function.如果将用户提供的输入传递给printf(3)函数,则存在字符串格式化漏洞。 You can prevent this by not allowing that happen, ever .您可以通过不允许这种情况发生防止这种情况,直到永远。 There is absolutely not reason to have a dynamic format string because you should know ahead of time the required format, and therefore you can put the format string in read only memory through the use of a const char *绝对没有理由拥有动态格式字符串,因为您应该提前知道所需的格式,因此您可以通过使用const char *将格式字符串放入只读内存中
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.