• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: lots of find/replace in text file
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lots of find/replace in text file

  • Subject: Re: lots of find/replace in text file
  • From: Matt Neuburg <email@hidden>
  • Date: Tue, 25 Jan 2011 01:56:00 -0800
On Jan 24, 2011, at 6:54 PM, Kyle Sluder wrote:

> On Jan 24, 2011, at 6:02 PM, Matt Neuburg <email@hidden> wrote:
>
>>
>> (2) A common trick is make the text file a format string (i.e., containing a lot of %@) and just hand it to stringWithFormat along with all the substitutions. Badda bing badda boom.
>
> This is how security vulnerabilities are born. You are handing off formatting strings to functions that trust you are supplying the correct number and type of arguments to match, or else they will blithely access random chunks of memory.
>
> If you are at all accepting arbitrary input files, you must not simply hand the text over as a formatting specifier. Even if you're building an iOS app and bundling all the possible files yourself, do yourself a favor and build a more robust parser now.
>
> There's no sense in writing intentionally fragile code that will (not "may") result in a crasher and irate customers sometime in the future when someone accidentally puts one to many %@ sequences in the MadLib file.
>

This is madlibs; the template string comes from him, the programmer. Only the words that go into the blanks come from the user. You'll need to prove to me that performing the substitution this way is any more dangerous than substituting words from the user into the template string some other way. m.

--
matt neuburg, phd = email@hidden, http://www.tidbits.com/matt/
pantes anthropoi tou eidenai oregontai phusei
Among the 2007 MacTech Top 25, http://tinyurl.com/2rh4pf
AppleScript: the Definitive Guide, 2nd edition
http://www.tidbits.com/matt/default.html#applescriptthings
Take Control of Exploring & Customizing Snow Leopard
http://tinyurl.com/kufyy8
RubyFrontier! http://www.apeth.com/RubyFrontierDocs/default.html
TidBITS, Mac news and reviews since 1990, http://www.tidbits.com


_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: lots of find/replace in text file
      • From: Kyle Sluder <email@hidden>
References: 
 >Re: lots of find/replace in text file (From: Matt Neuburg <email@hidden>)
 >Re: lots of find/replace in text file (From: Kyle Sluder <email@hidden>)

  • Prev by Date: Disable (grey out) main menu when displaying modal window?
  • Next by Date: @property and Garbage Collection
  • Previous by thread: Re: lots of find/replace in text file
  • Next by thread: Re: lots of find/replace in text file
  • Index(es):
    • Date
    • Thread