...
Static analysis tools that perform taint analysis can diagnose some violations of this rule.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C Secure Coding Standard as FIO30-C. Exclude user input from format strings.
This rule appears in the C++ Secure Coding Standard as FIO30-CPP. Exclude user input from format strings.
Related Guidelines
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a1651fa5-8f15-4d72-b27c-b0f2d243c983"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE-134 | http://cwe.mitre.org/data/definitions/134.html] "Uncontrolled Format String" | ]]></ac:plain-text-body></ac:structured-macro> |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup |
...
" ac:schema-version="1" ac:macro-id="d8dc1260-c8e5-43dd-b02c-173530f5c216"><ac:plain-text-body><![CDATA[ | [[API |
...
2006 |
...
AA. |
...
Bibliography#API |
...
06] |
...
] |
...
[Class |
...
Formatter |
...
http://java.sun.com/javase/6/docs/api/java/util/Formatter.html] |
...
]]></ac:plain-text-body></ac:structured-macro> | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c27d70e8-349d-4528-a125-585368c484ad"><ac:plain-text-body><![CDATA[ | [[Seacord 2005 | AA. Bibliography#Seacord 05]] | Chapter 6, Formatted Output | ]]></ac:plain-text-body></ac:structured-macro> |
...
IDS19-J. Sanitize untrusted data passed to a regex IDS21-J. Canonicalize path names before validating them