[packagekit] Delimitors for handling multiple package_ids

Patryk Zawadzki patrys at pld-linux.org
Fri Sep 26 08:44:48 PDT 2008


On Fri, Sep 26, 2008 at 2:51 PM, Richard Hughes <hughsient at gmail.com> wrote:
> It turns out this is a problem actually, as % in a printf seems to break
> things pretty bad when running the daemon in verbose mode.

Actually that's a problem in PK code. You should never pass untrusted
strings as the 1st param to printf. For everything that comes from
outside of your own code, use

printf("%s", str)

Otherwise you're just adding a potential attack vector.

-- 
Patryk Zawadzki



More information about the PackageKit mailing list