Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to pass an untrusted format string to string.Format?

  • Are there security implications for passing a user-provided (untrusted) format string to string.Format?

  • Can this lead to unexpected code execution? Can it result in infinite CPU or memory consumption?

Please assume that the following are untrusted inputs:

  • Format string
  • All arguments (assume them to be primitive types like integers, strings, datetimes. Certainly no user-provided types.)
  • The culture

Exceptions being thrown are not a problem because that is easily handled.

like image 223
emcor Avatar asked Aug 08 '14 13:08

emcor


People also ask

Is Strftime safe?

The function strftime() is MT-Safe as long as no thread calls setlocale() while this function is executing. The function strftime_l() is MT-Safe as long as no thread calls freelocale() on locale while this function is executing.

Are F-strings safe?

Python's f-strings are actually safer. String formatting may be dangerous when a format string depends on untrusted data. So, when using str. format() or % -formatting, it's important to use static format strings, or to sanitize untrusted parts before applying the formatter function.

What causes format string vulnerability?

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application.

What is string format () used for?

In java, String format() method returns a formatted string using the given locale, specified format string, and arguments. We can concatenate the strings using this method and at the same time, we can format the output concatenated string.


1 Answers

It's possible to produce very long outputs with rather small format strings. This can cause performance problems and potentially even out of memory errors.

For example string.Format("{0,9999999}",0) produces a string that consumes 20MB of RAM. You can repeat that pattern to increase the output size further.

like image 80
CodesInChaos Avatar answered Sep 29 '22 12:09

CodesInChaos