Opened 4 years ago

Last modified 22 months ago

#136 new defect

Check user input used as string literals

Reported by: Julien ÉLIE Owned by: eagle
Priority: low Milestone: 2.7.0
Component: general Version: 2.5.4
Severity: minor Keywords:
Cc:

Description

The following programs use format strings that are not string literals at compile time; they come from user input and are not currently sanity-checked.

User input should be checked before being used. We can do something like what the IsValidSubmissionTemplate?() function does in lib/getmodaddr.c.

batcher: check the values of the arguments given to the -p and -s parameters
buffchan: check the value of the argument given to the -d parameter
innfeed: check the contents of the timeToStringFormat and deliver_rcpt_to variables (from the log-time-format and deliver-rcpt-to parameters of innfeed.conf)
innd: check the contents of the sp->Param variable (from newsfeeds)
ninpaths: check the value of the argument given to the -d parameter
nnrpd: check the contents of the mta parameter of inn.conf (the check may be useful at other places of the code)

Change History (1)

comment:1 Changed 22 months ago by Julien ÉLIE

Milestone: 2.7.0

Also see #140.

Note: See TracTickets for help on using tickets.