About Format String Attack for D's *writef*()

[Anders F Björklund]

is91042 wrote:

> The problem is *writef*() can interpret not only the first but also many
> parameters as format strings.

This is a feature, not a bug...

> It shows that *writef*() interpret any string as a format string if it way
> not assigned by any other format strings.
> 
> Consider the following code.
> 
> 	char[] user_name;
> 	writefln("Please Input your name: ");
> 	din.readf("%s", &user_name);
> 	writefln("Your name is ", user_name, ". And my name is Peter.");

This is the expected behaviour with writef, need to use "%s".
You get the same with printf, if you concatenate the strings.

Which is why I think using printf (in C) and writef (in D)
*by default* isn't very nice to newcomers, as it is harder...

There should be a simple function that just outputs a string.

> Its behavior is so strange and is not what we expected.

You get the same "odd" behaviour in: writef("100% unexpected");
(need to escape % by using %%, when you specify a format string)

> Although we can use the same approach that we requires the programmers
> put an argument "%s" before every string affected by users, I think it
> is not a good privacy because it requires an extra heavy load for
> programmers and loses the convenience of that *writef* can treat many
> arguments as format strings.
> 
> So, I suggest a solution: Add a new type 'fstring' as the meaning
> "format string" and *writef*() will do different thing for fstrings
> and strings. If a string is encountered, they dump the string.  If a
> fstring is encountered, they do the same thing as before.

My suggestion was to instead add a "write" function, that would not
interpret the format character '%' but just output the string as-is ?

writeln("100% easier");
writeln("Your name is ", user_name, ". And my name is Peter.");

See http://www.digitalmars.com/d/archives/digitalmars/D/21692.html
and http://www.digitalmars.com/d/archives/digitalmars/D/15627.html

--anders