Source – The Daily WTF
Hmmm… This exactly the kindof reason why i just spent a day finding a reliable way of sanitising printf style format strings in my sql library.
First you parse the format string, identify all the arguments, then call your vsnprintf with chunks of the format string, making sure that the %s arguments are reprocessed to escape nasty things, and increment the va pointer between calls using types inferred from the format string.
Works like a charm, may contain traces of nuts.
Fill in your details below or click an icon to log in:
You are commenting using your WordPress.com account. ( Log Out / Change )
You are commenting using your Twitter account. ( Log Out / Change )
You are commenting using your Facebook account. ( Log Out / Change )
You are commenting using your Google+ account. ( Log Out / Change )
Connecting to %s
Notify me of new comments via email.