Interpretation of Java format strings is stricter than in languages such as C The java.io package includes a PrintStream class that has two equivalent formatting methods format() and printf(). System.out is a PrintStream object, allowing PrintStream methods to be invoked on System.out. The risks from using these methods are not as high as using similar functions in C or C++ [Seacord 2013]. The standard library implementations throw appropriate exceptions throws an exception when any conversion argument fails to match the corresponding format specifier. This approach reduces opportunities for malicious exploits. Nevertheless Although this helps mitigate against exploits, if malicious user input is accepted in a format string, it can cause information leaks or denial of service. As a result, unsanitized input from an untrusted source should not must never be incorporated into format strings.
...
| Code Block | ||
|---|---|---|
| ||
class Format {
static Calendar c =
new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
public static void main(String[] args) {
// args[0] is the credit card expiration date
// args[0] can contain either %1$tm, %1$te or %1$tY as malicious
// arguments
// First argument prints 05 (May), second prints 23 (day)
// and third prints 1995 (year)
// Perform comparison with c, if it doesn't match print the
// following line
System.out.printf(args[0] +
" did not match! HINT: It was issued on %1$terd of some month", c);
}
}
|
...