[Bug 3412] New: format string security
bugzilla-daemon at icculus.org
bugzilla-daemon at icculus.org
Sun Nov 11 05:46:50 EST 2007
http://bugzilla.icculus.org/show_bug.cgi?id=3412
Summary: format string security
Product: Quake 3
Version: SVN HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: Misc
AssignedTo: zakk at icculus.org
ReportedBy: devhc97 at gmail.com
QAContact: quake3-bugzilla at icculus.org
Converting '%' to '.' is done for security reasons. However, it's not an option
to have a game suffering from C's handling of format strings. In other words,
one can defend from format string attacks by disabling '%', but that isn't
professional, and it is better to remember a warning: never pass a raw string
as fmt.
Even though there is some protection against format string type crashes,
internal potential bugs should still be handled. The whole code should be
checked for unsafe format strings, and corrected as needed, so that ultimately
the %-protection can be removed. Later on, when adding new code and dealing
with %'s, just apply caution.
--
Configure bugmail: http://bugzilla.icculus.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the quake3-bugzilla
mailing list