From a1bcd4426b6930a91aea29169be69caedb82dbe6 Mon Sep 17 00:00:00 2001
From: Guilherme Amadio <amadio@cern.ch>
Date: Mon, 25 Nov 2024 13:39:01 +0100
Subject: [PATCH] [Server] Fix uncontrolled format string in XrdXrootdTpcMon

The format string in urlFMT is built from strings which come from
the environment, so one could pass in malicious strings that would
alter the actual format being used in XrdXrootdTpcMon::getURL().
---
 src/XrdXrootd/XrdXrootdTpcMon.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/XrdXrootd/XrdXrootdTpcMon.cc b/src/XrdXrootd/XrdXrootdTpcMon.cc
index e95ec709795..05737dc272a 100644
--- a/src/XrdXrootd/XrdXrootdTpcMon.cc
+++ b/src/XrdXrootd/XrdXrootdTpcMon.cc
@@ -46,7 +46,7 @@ const char *json_fmt = "{\"TPC\":\"%s\",\"Client\":\"%s\","
         "\"IPv\":%c},"
 "\"Src\":\"%s\",\"Dst\":\"%s\",\"Size\":%zu}";
 
-const char *urlFMT = "";
+const char *hostport = "";
 
 XrdSysError eDest(0, "Ouc");
 }
@@ -72,8 +72,8 @@ XrdXrootdTpcMon::XrdXrootdTpcMon(const char       *proto,
    const char *host = getenv("XRDHOST"); if (!host) host = "localhost";
    const char *port = getenv("XRDPORT"); if (!port) {colon = ""; port = "";}
 
-   snprintf(buff, sizeof(buff), "%%s://%s%s%s/%%s", host, colon, port);
-   urlFMT = strdup(buff);
+   snprintf(buff, sizeof(buff), "%s%s%s", host, colon, port);
+   hostport = strdup(buff);
 }
 
 /******************************************************************************/
@@ -86,7 +86,7 @@ const char *XrdXrootdTpcMon::getURL(const char *spec, const char *prot,
 // Handle the spec
 //
    if (*spec == '/')
-      {snprintf(buff, bsz, urlFMT, prot, spec);
+      {snprintf(buff, bsz, "%s://%s/%s", prot, hostport, spec);
        spec = buff;
       }
    return spec;