Wikipedia

Uncontrolled format string: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
m Details: Journal cites, using AWB (11836)
m clean up; http->https (see this RfC) using AWB
Line 20:
Many compilers can statically check format strings and produce warnings for dangerous or suspect formats.
 
In [[GNU Compiler Collection|the GNU Compiler Collection]], the relevant compiler flags are, <code>-Wall</code>,<code>-Wformat</code>, <code>-Wno-format-extra-args</code>, <code>-Wformat-security</code>, <code>-Wformat-nonliteral</code>, and <code>-Wformat=2</code>.<ref>[httphttps://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Warning-Options.html#Warning-Options Warning Options - Using the GNU Compiler Collection (GCC)<!-- Bot generated title -->]</ref>
 
Most of these are only useful for detecting bad format strings that are known at compile-time. If the format string may come from the user or from a source external to the application, the application must validate the format string before using it. Care must also be taken if the application generates or selects format strings on the fly. The <code>-Wformat-nonliteral</code> check is more stringent.
Line 36:
*[[Tobias Klein]], ''Buffer Overflows und Format-String-Schwachstellen''. Dpunkt Verlag, ISBN 3-89864-192-9.
*[[Crispin Cowan]], ''Software Security for Open-Source Systems''. IEEE Computer Society, [http://www.computer.org/web/computingnow/securityandprivacy IEEE Security & Privacy], January/February 2003
*{{cite proceedingsconference|first=Crispin |last=Cowan |title=FormatGuard: Automatic Protection From printf Format String Vulnerabilities |conference=Proceedings of the 10th USENIX Security Symposium |date=August 2001 |url=http://www.usenix.com/events/sec01/full_papers/cowanbarringer/cowanbarringer.pdf}}
 
==Footnotes==
Retrieved from "https://en.wikipedia.org/wiki/Uncontrolled_format_string"