On Nov 27, 2011, at 11:33 AM, Stefan Fritsch wrote:
>> + else {
>> + va_list ap;
>> + const char *res;
>> + va_start(ap, fmt);
>> + res = apr_pvsprintf(r->pool, fmt, ap);
>> + va_end(ap);
>> + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, res, NULL);
>> + }
>
> No, this is not right. If some caller passes arguments to
> ap_pass_brigade_fchk that may cause the result of apr_pvsprintf to contain a
> "%", you would get a format-string vulnerability. This could easily happen if
> some error message included the URL.
>
> You must use
>
> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "%s", res);
>
> intead.
Thx!
