Big documentation shortcoming: QString::arg()

Waldo Bastian bastian at kde.org
Wed Jul 10 21:52:16 BST 2002


On Wednesday 10 July 2002 12:29 pm, qt-bugs at trolltech.com wrote:
> On Mittwoch, 10 Jul 2002 19:56, Marc Mutz wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi!
> >
> > Code using multiple QString::arg()'s on a string sequentially can be
> > tricked into replacing the wrong parts of texts. If :arg() is used to
> > insert (multiple) "user-supplied" strings, then the resulting program
> > may be vulnerable to quite a few attacks. A simple test program is
> > attached. Try e.g.
> > $ testqstring '%1 first text' 'second text'
> > 1: s == 1: %1 first text; 2: %2
> > 2: s == 1: second text first text; 2:
> >
> > This is particularly dangerous if this mechnism is used to construct
> > command lines to be executed.
> > Of course, a careful programmer will never use arg() for this and always
> > check the to-be-inserted strings for "%n" and warn if one is found, but
> > nonetheless a big fat warning in the documentation of QString::arg()
> > should be in order.
> >
> > Thanks,
> > Marc
>
> Hi Marc,
>
> I'm afraid this is a bit beyond the scope of the Qt documentation, which is
> supposed to explain the purpose of a function and how to use it rather than
> the dangers of a function in certain circumstances. We would have to add
> big fat warnings in the documentation for every destructor (a'la warning:
> calling the destructor deletes the object and may crash your application),
> which would definitely not look very nice.

The difference being that this poses a very real problem when processing 
user-provided data that will not be immediate visible until you run into the 
problem. 

It's like calling printf(arg); instead of printf("%s", arg). If you follow 
security alerts you will know that there is quite some code out there that is 
exploitable because of that mistake alone.

Cheers,
Waldo
-- 
Denial is not a river in Egypt.




More information about the kde-core-devel mailing list