Don't pass untrusted data in a printf format string

1 files changed, 14 insertions, 7 deletions

diff --git a/src/util.c b/src/util.c
index 1c049ab..ef466b4 100644
--- a/src/util.c
+++ b/src/util.c
@@ -122,7 +122,11 @@ sys_log (DBusGMethodInvocation *context,
                                 ...)
 {
         va_list args;
-        gchar *real_format;
+        gchar *msg;
+
+        va_start (args, format);
+        msg = g_strdup_vprintf (format, args);
+        va_end (args);
 
         if (context) {
                 PolkitSubject *subject;
@@ -130,27 +134,30 @@ sys_log (DBusGMethodInvocation *context,
                 gchar *id;
                 gint pid = 0;
                 gint uid = 0;
+                gchar *tmp;
 
                 subject = polkit_system_bus_name_new (dbus_g_method_get_sender (context));
                 id = polkit_subject_to_string (subject);
                 cmdline = _polkit_subject_get_cmdline (subject, &pid, &uid);
+
                 if (cmdline == NULL) {
-                        real_format = g_strdup_printf ("request by %s: %s", id, format);
+                        tmp = g_strdup_printf ("request by %s: %s", id, msg);
                 }
                 else {
-                        real_format = g_strdup_printf ("request by %s [%s pid:%d uid:%d]: %s", id, cmdline, pid, uid, format);
+                        tmp = g_strdup_printf ("request by %s [%s pid:%d uid:%d]: %s", id, cmdline, pid, uid, msg);
                 }
 
+                g_free (msg);
+                msg = tmp;
+
                 g_free (id);
                 g_free (cmdline);
                 g_object_unref (subject);
         }
 
-        va_start (args, format);
-        vsyslog (LOG_NOTICE, real_format, args);
-        va_end (args);
+        syslog (LOG_NOTICE, "%s", msg);
 
-        g_free (real_format);
+        g_free (msg);
 }
 
 static void