On Sat, Dec 04, 2010 at 10:12:25AM +0100, Jochen Neubeck wrote: > LogWriter output methods are at times called with just a single > argument, which LogWriter always treats as an sprintf format string, > but which is not always meant to be such. I have seen this in a few > catch blocks which involve logging of the preformatted diagnostic > messages provided by the exceptions. This induces a risk of > vulnerability due to misdetection of format specifiers. The patch > provides safe overloads for the single argument case.
Hello, are you sure this patch is really needed? In my opinion it's absolutely valid to use only string as an argument. Can you please point me where is current LogWriter's method misused? Thank you in advance. Regards, Adam -- Adam Tkac, Red Hat, Inc. ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
