diff options
Diffstat (limited to 'usr.bin/printf/printf.1')
| -rw-r--r-- | usr.bin/printf/printf.1 | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/usr.bin/printf/printf.1 b/usr.bin/printf/printf.1 index c63bb3baffa..7dd31b6eda1 100644 --- a/usr.bin/printf/printf.1 +++ b/usr.bin/printf/printf.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: printf.1,v 1.11 2000/03/23 21:10:18 aaron Exp $ +.\" $OpenBSD: printf.1,v 1.12 2000/10/19 18:18:54 aaron Exp $ .\" .\" Copyright (c) 1989, 1990 The Regents of the University of California. .\" All rights reserved. @@ -316,6 +316,17 @@ The .Nm command appeared in .Bx 4.3 Reno . +.Sh CAVEATS +It is important to never pass a string with user-supplied data as a +format without using +.Ql %s . +An attacker can put format specifiers in the string to mangle your stack, +leading to a possible security hole. +.Pp +Be sure to always use the proper secure idiom: +.Bd -literal -offset indent +printf "%s" "$STRING" +.Ed .Sh BUGS Since arguments are translated from .Tn ASCII |