Printf format string vulnerability

brandonwamboldt / libvmod-redis

A varnish vmod for sending commands to a Redis server and getting back the response in your VCL files.

https://www.varnish-cache.org/vmod/redis-poc

Other

19 stars 10 forks source link

Printf format string vulnerability #6

Closed krhubert closed 6 years ago

krhubert commented 10 years ago

diff --git a/src/vmod_redis.c b/src/vmod_redis.c
index 97ae0ae..08e1860 100644
--- a/src/vmod_redis.c
+++ b/src/vmod_redis.c
@@ -126,7 +126,7 @@ static redisReply *redis_common(struct sess *sp, struct vmod_priv *priv, const c
     redisContext *c = redis_connect(cfg);

     if (c != NULL) {
-        redisReply *reply = redisCommand(c, command);
+        redisReply *reply = redisCommand(c, "%s", command);

         if (reply == NULL) {
             LOG_E("redis error (command): err=%d errstr=%s\n", c->err, c->errstr);

brandonwamboldt commented 10 years ago

It's not as a simple as changing that one line, as they breaks everything (as it string formats commands too). I'll look into other fixes.