printw should not be exposed.
#172
Comments
|
This function still should have been marked as unsafe, since it's trivial to cause an exploitable memory safety issue when calling it... |
|
Deprecation is definitely insufficient because it's not transitive, and more importantly, people do not expect "deprecated" to mean "using this may cause memory errors". However, that's exactly what This is a serious security issue - such bugs can be easily exploited to get remote code execution. Please mark |
Stef-Gijsberts
pushed a commit
to Stef-Gijsberts/chessmind
that referenced
this issue
May 7, 2021
Because the usage of 'printw' is deprecated. Also see: jeaye/ncurses-rs#172
yshavit
added a commit
to yshavit/wordle-guesser
that referenced
this issue
Apr 10, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It's very difficult / impossible to use this function from rust without introducing a format string vulnerability into your code (which can be used to trigger arbitrary code execution).
If you must expose something like it, have it just call addstr or mark it as unsafe (and deprecate it in both cases, IMO).
See also: #149 and #125.
The text was updated successfully, but these errors were encountered: