Anders Waldenborg <anders@xxxxxxx> writes: > AFAICU strbuf_expand doesn't suffer from the worst things that printf(3) > suffers from wrt untrusted format string (i.e no printf style %n which > can write to memory, and no vaargs on stack which allows leaking random > stuff). > > The separator option is part of the full format string. If a malicious > user can specify that, they can't really do anything new, as the > separator only can expand %n and %xNN, which they already can do in the > full string. > > But maybe I'm missing something? I just wanted to make sure somebody thought it through (and hoped that that somebody might be you). I do not offhand see a readily usable exploit vector myself.
