About Format String Attack for D's *writef*()

[Lionello Lunesu]

Anders F Björklund wrote:
> is91042 wrote:
> 
>> The problem is *writef*() can interpret not only the first but also many
>> parameters as format strings.
> 
> This is a feature, not a bug...
> 
>> It shows that *writef*() interpret any string as a format string if it 
>> way
>> not assigned by any other format strings.
>>
>> Consider the following code.
>>
>>     char[] user_name;
>>     writefln("Please Input your name: ");
>>     din.readf("%s", &user_name);
>>     writefln("Your name is ", user_name, ". And my name is Peter.");
> 
> This is the expected behaviour with writef, need to use "%s".
> You get the same with printf, if you concatenate the strings.
> 
> Which is why I think using printf (in C) and writef (in D)
> *by default* isn't very nice to newcomers, as it is harder...
> 
> There should be a simple function that just outputs a string.
> 
>> Its behavior is so strange and is not what we expected.
> 
> You get the same "odd" behaviour in: writef("100% unexpected");
> (need to escape % by using %%, when you specify a format string)
> 
>> Although we can use the same approach that we requires the programmers
>> put an argument "%s" before every string affected by users, I think it
>> is not a good privacy because it requires an extra heavy load for
>> programmers and loses the convenience of that *writef* can treat many
>> arguments as format strings.
>>
>> So, I suggest a solution: Add a new type 'fstring' as the meaning
>> "format string" and *writef*() will do different thing for fstrings
>> and strings. If a string is encountered, they dump the string.  If a
>> fstring is encountered, they do the same thing as before.
> 
> My suggestion was to instead add a "write" function, that would not
> interpret the format character '%' but just output the string as-is ?

Good idea.