SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 71

changes.mady.by.user Masaki Kubo

Saved on

compared with

New Version 72

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFcccc
class Format {
  static Calendar c = 
   new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    // args[0] can contain either %1$tm, %1$te or %1$tY as malicious
    // arguments
    // First argument prints 05 (May), second prints 23 (day) 
    // and third prints 1995 (year)
    // Perform comparison with c, if it doesn't match print the 
    // following line
    System.out.printf(args[0] + 
    " did not match! HINT: It was issued on %1$terd of some month", c);
  }
}

...

Code Block
bgColor#ccccff
class Format {
  static Calendar c = 
    new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    // Perform comparison with c, 
    // if it doesn't match print the following line
    System.out.printf("The input did not match! "
        + " HINT: It was issued on %1$terd of some month", c);
  }
}

...

CERT C Secure Coding Standard

FIO30-C. Exclude user input from format strings

CERT C++ Secure Coding Standard

FIO30-CPP. Exclude user input from format strings

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f09c692e5c084f1b-c20d4a7d-44974d2a-922b9e88-9a7770a73bbff24e50eefded"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

" Injection [RST] "

]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE-134, "Uncontrolled Format String" . Uncontrolled format string

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d9379e0d723c095c-f1228803-4a2c4b2b-af088310-08e161f7156a7c2ba4be517a"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

[Class Formatter

http://java.sun.com/javase/6/docs/api/java/util/Formatter.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9dd50674fdfcde48-dd636f6f-4f4f4f21-b5e0a955-c42e477fe004624fdd046898"><ac:plain-text-body><![CDATA[

[[Seacord 2005

AA. Bibliography#Seacord 05]]

Chapter 6, Formatted Output

]]></ac:plain-text-body></ac:structured-macro>

...