Skip to content

Fix lab format-strings #666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 17, 2024
Merged

Fix lab format-strings #666

merged 2 commits into from
Oct 17, 2024

Conversation

david-a-wheeler
Copy link
Contributor

Add "hints:" (without the field name, it has no contents).

Remove an example of a password in source code.
That is a vulnerability all by itself, we do NOT want to show how to write vulnerable code.

@david-a-wheeler
Fix lab format-strings
11cb3dc 
Add "hints:" (without the field name, it has no contents).

Remove an example of a password in source code.
That is a vulnerability all by itself, we do NOT want to
show how to write *vulnerable* code.

Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler david-a-wheeler marked this pull request as draft October 14, 2024 19:47
@david-a-wheeler
Simplify format string example
396b744 
We don't need to create lots of code, and in fact,
it's often better to switch to a constant string if we can.
Let's show doing that, instead of delving into complications
that are often unnecessary.

Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler david-a-wheeler marked this pull request as ready for review October 14, 2024 20:56
@david-a-wheeler
Copy link
Contributor Author

jasinner - thank you for your earlier work! I think it'd be better if we simplified the actual lab, so we just switch to constant strings. We don't need to focus on how to attack the wrong code in the lab itself. I changed it to merely hint at an attack, and checked in full Python source code that demonstrates the details of the attack for those who want to verify it.

@david-a-wheeler david-a-wheeler merged commit 4511197 into main Oct 17, 2024
4 checks passed
@david-a-wheeler david-a-wheeler deleted the format-strings-fixes branch October 17, 2024 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@david-a-wheeler