OSSP CVS Repository

ossp - Difference in ossp-pkg/lmtp2nntp/00TODO versions 1.60 and 1.61
Not logged in
[Honeypot]  [Browse]  [Home]  [Login]  [Reports
[Search]  [Ticket]  [Timeline
  [History

ossp-pkg/lmtp2nntp/00TODO 1.60 -> 1.61

--- 00TODO       2002/05/28 12:19:47     1.60
+++ 00TODO       2002/07/29 11:39:43     1.61
@@ -75,3 +75,27 @@
     crossposting problem                          -h [Newsgroups:see perl example above and use feature 2.)\n]
     potential to merge post/header modes          -h [Newsgroups:${_EnvelopeRCPT}\n]
 
+
+===================================================================
+RCS file: /e/ossp/cvs/ossp-pkg/fsl/fsl.c,v
+retrieving revision 1.22
+retrieving revision 1.21
+diff -r1.22 -r1.21
+341c341
+<         if ((l2rv = l2_spec(&ch, ctx.l2_fslenv, "%s", argl2spec)) != L2_OK) {
+---
+>         if ((l2rv = l2_spec(&ch, ctx.l2_fslenv, argl2spec)) != L2_OK) {
+513c513
+<                     if ((l2rv = l2_spec(&ch, ctx.l2_env, "%s", argl2spec)) != L2_OK) {
+---
+>                     if ((l2rv = l2_spec(&ch, ctx.l2_env, argl2spec)) != L2_OK) {
+
+Fix a big security hole: the l2_spec() is a varargs function which gets
+a format string and variable arguments. In case only a fixed string is
+used we have to use "%s" as the format string or else "%x" in the string
+is treated like a formatter (and hence cause a segfault or whatever
+else if it tries to fetch args from the stack). This especially also no
+longer requires the formatters to be written %%X...
+
+    consider using lib_cfg for configuration file parsing
+

CVSTrac 2.0.1