3.2. Preventing Attacks on Formatting Functions
You use functions such as
your program, and you want to ensure that you use them in such a way
that an attacker cannot coerce them into behaving in ways that you do
Functions such as the
printf( ) family of
functions provide a flexible and powerful way to format data easily.
Unfortunately, they can be extremely dangerous as well. Following the
guidelines outlined in the following
Section 3.2.3 will allow you
to easily avert many of the problems with these functions.
printf( ) family of functions—and other
functions that use them, such as
syslog( ) on Unix
systems—all require an argument that specifies a format, as
well as a variable number of additional arguments that are
substituted at various locations in the format string to produce
formatted output. The functions come in two major varieties:
Those that output to a file (
printf( )outputs to
Those that output to a string
Both can be dangerous, but the latter variety is significantly more so.
The format string is copied, character by character, until a percent ( %) symbol is encountered. The characters that immediately follow the percent symbol determine what will be output in their place. For each substitution in the format string, the next argument in the variable argument list is used. Because of the way that variable-sized argument lists work in C (see Recipe 13.4), the functions assume that the number ...