Bug #77085 for Perl-Critic: Suggested policy: format string vulnerabilities

RT for rt.cpan.org

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Perl-Critic CPAN distribution.

Report information

The Basics

Id:	77085
Status:	new
Priority:	0/
Queue:	Perl-Critic

People

Owner:	Nobody in particular
Requestors:	EDAVIS [...] cpan.org
Cc:
AdminCc:

Bug Information

Severity:	Wishlist
Broken in:	1.117
Fixed in:	(no value)

History Show all quoted text

Wed May 09 11:25:07 2012 EDAVIS [...] cpan.org - Ticket created

Subject:

Suggested policy: format string vulnerabilities

printf("some format string containing $unsafe text %d", $x); This would probably be better written as printf("some format string containing %s text %d", $unsafe, $x); In Perl this isn't quite the serious stack-smashing vulnerability it can be in C, and taint mode helps too. But it's still not a safe way to program. Perlcritic should have a policy catching non-literal format strings used in printf and sprintf.