diff options
author | Martin Samuelsson <msamuelsson@storvix.eu> | 2023-05-27 13:33:45 +0200 |
---|---|---|
committer | Martin Samuelsson <msamuelsson@storvix.eu> | 2023-05-28 22:56:25 +0200 |
commit | 686214f80c5eab30e67e34890c332e0232ca5afa (patch) | |
tree | 4d0881f6a9286f1bbed8d566058655768fb5636a /libsyslog/src/syslog.rs | |
parent | 6943c32fb862ec227bb8950095d288d12590ba9b (diff) | |
download | libsyslog-rs-686214f80c5eab30e67e34890c332e0232ca5afa.zip |
Avoid insecurely passing untrusted string to syslog()
With the second argument to syslog() being a format string, these
function calls obviously need an actual format string prior to the log
message.
Thanks to Alexander Hansen Færøy for noticing and pointing out this
embarrasing mistake.
Diffstat (limited to 'libsyslog/src/syslog.rs')
-rw-r--r-- | libsyslog/src/syslog.rs | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/libsyslog/src/syslog.rs b/libsyslog/src/syslog.rs index 6b36147..2a4d856 100644 --- a/libsyslog/src/syslog.rs +++ b/libsyslog/src/syslog.rs @@ -76,13 +76,17 @@ impl log::Log for Syslog { fn log(&self, record: &Record) { if self.enabled(record.metadata()) { - if let Ok(msg) = CString::new(format!("{}", record.args())) { + if let (Ok(fmt), Ok(msg)) = ( CString::new("%s"), + CString::new(format!("{}", record.args()))) + { + let fmt_ptr = fmt.as_ptr(); + let msg_ptr = msg.as_ptr(); match record.level() { - Level::Debug => unsafe { syslog(LOG_DEBUG, msg.as_ptr()); } - Level::Error => unsafe { syslog(LOG_ERR, msg.as_ptr()); } - Level::Info => unsafe { syslog(LOG_INFO, msg.as_ptr()); } - Level::Warn => unsafe { syslog(LOG_WARNING, msg.as_ptr()); } - Level::Trace => unsafe { syslog(LOG_DEBUG, msg.as_ptr()); } + Level::Debug => unsafe { syslog(LOG_DEBUG, fmt_ptr, msg_ptr); } + Level::Error => unsafe { syslog(LOG_ERR, fmt_ptr, msg_ptr); } + Level::Info => unsafe { syslog(LOG_INFO, fmt_ptr, msg_ptr); } + Level::Warn => unsafe { syslog(LOG_WARNING, fmt_ptr, msg_ptr); } + Level::Trace => unsafe { syslog(LOG_DEBUG, fmt_ptr, msg_ptr); } } } } |