Interpretation of Java format strings is stricter than in languages such as C [Seacord 20052013]. The standard library implementations throw appropriate exceptions when any conversion argument fails to match the corresponding format specifier. This approach reduces opportunities for malicious exploits. Nevertheless, malicious user input can exploit format strings and can cause information leaks or denial of service. As a result, strings from an untrusted source should not be incorporated into format strings.
...
| Code Block | ||
|---|---|---|
| ||
class Format {
static Calendar c =
new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
public static void main(String[] args) {
// args[0] is the credit card expiration date
// Perform comparison with c,
// if it doesn't match, print the following line
System.out.printf("%s did not match! "
+ " HINT: It was issued on %1$terd of some month", args[0],c);
}
}
|
...
| CERT Perl Secure Coding Standard | IDS30-PL. Exclude user input from format strings |
Injection [RST] | |
CWE-134. , Uncontrolled format string |
...
[API 2006] | |
Chapter 6, "Formatted Output" |
...