SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 26

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 27

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

...

Code Block
bgColor#FFcccc
class Format {
  static Calendar c = new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    // args[0] can contain either %1$tm, %1$te or %1$tY as malicious arguments
    // First argument prints 05 (May), second prints 23 (day) and third prints 1995 (year)
    // Perform comparison with c, if it doesn't match print the following line
    System.out.printf(args[0] + "" did not match! HINT: It was issued on %1$terd of some month"", c);
  }
}

Compliant Solution

...

Code Block
bgColor#ccccff
class Format {
  static Calendar c = new GregorianCalendar(1995, MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    // Perform comparison with c, if it doesn't match print the following line
    System.out.printf(""The input did not match! HINT: It was issued on %1$terd of some month"", c);
  }
}

Risk Assessment

Allowing user input to taint the format string may cause information leaks or denial of service.

...

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [Class Formatter|http://java.sun.com/javase/6/docs/api/java/util/Formatter.html]
\[[Seacord 05|AA. Java References#Seacord 05]\] Chapter 6, Formatted Output
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 674|http://cwe.mitre.org/data/definitions/674.html] ""Uncontrolled Format String""

...

FIO32-J. Ensure all resources are properly closed when they are no longer needed            09. Input Output (FIO)            FIO34-J. Do not create temporary files in shared directories