Page History

Interpretation of Java format strings is stricter than that in languages such as C. The standard library implementations throw appropriate exceptions when any conversion argument fails to match the corresponding flag. This approach reduces opportunities for malicious exploits. Nevertheless, malicious user input can exploit format strings and can cause information leaks or denial of service. As a result, strings from an untrusted source should not be incorporated into format strings.

...

CERT C Secure Coding Standard	FIO30-C. Exclude user input from format strings
CERT C++ Secure Coding Standard	FIO30-CPP. Exclude user input from format strings
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f372045bb14bf8e3-17fc9adc-412240a0-a9afb49a-5e177d6f0fc90f4e8b870a01"><ac:plain-text-body><![CDATA[	[ISO/IEC TR 24772:2010	http://www.aitcnet.org/isai/]	"Injection [RST]"	]]></ac:plain-text-body></ac:structured-macro>
MITRE CWE	CWE-134, "Uncontrolled Format String"

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d1c97967edd4ee1d-e6e2f94b-47224b39-9c3d9e58-923648d9caf81047a925c8c2"><ac:plain-text-body><![CDATA[	[[API 2006	AA. Bibliography#API 06]]	[Class Formatter	http://java.sun.com/javase/6/docs/api/java/util/Formatter.html]	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cdb82f4d0ba9e384-c05ad881-40e64fb1-9c88aaf9-a4c3fa5e928e6996dcf9e816"><ac:plain-text-body><![CDATA[	[[Seacord 2005	AA. Bibliography#Seacord 05]]	Chapter 6, Formatted Output	]]></ac:plain-text-body></ac:structured-macro>

...

Space shortcuts

Page tree

Versions Compared

Old Version 69

New Version 70

Key