...
This noncompliant code example demonstrates an information leak issue. It accepts a credit card expiration date as an input argument and uses it within the format string.
| Code Block | ||
|---|---|---|
| ||
class Format {
static Calendar c =
new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
public static void main(String[] args) {
// args[0] is the credit card expiration date
// args[0] can contain either %1$tm, %1$te or %1$tY as malicious
// arguments
// First argument prints 05 (May), second prints 23 (day)
// and third prints 1995 (year)
// Perform comparison with c, if it doesn't match print the
// following line
System.out.printf(args[0] +
" did not match! HINT: It was issued on %1$terd of some month", c);
}
}
|
...
This compliant solution ensures that user-generated input is excluded from format strings.
| Code Block | ||
|---|---|---|
| ||
class Format {
static Calendar c =
new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
public static void main(String[] args) {
// args[0] is the credit card expiration date
// Perform comparison with c,
// if it doesn't match print the following line
System.out.printf("%s did not match! "
+ " HINT: It was issued on %1$terd of some month", args[0],c);
}
}
|
...
| CERT Perl Secure Coding Standard | IDS30-PL. Exclude user input from format strings |
Injection [RST] | |
CWE-134. Uncontrolled format string |
...
[API 2006] | |
Chapter 6, Formatted Output |
IDS05-J. Use a subset of ASCII for file and path names IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method