• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Odd display of percent character
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Odd display of percent character

  • Subject: Re: Odd display of percent character
  • From: Uli Kusterer <email@hidden>
  • Date: Wed, 15 Feb 2012 10:03:33 +0100
On 14.02.2012, at 17:53, Jens Alfke wrote:
> On Feb 14, 2012, at 5:38 AM, Uli Kusterer wrote:
>> In addition to this, whenever I do not actually need a format in a case like NSRunAlertPanel or whatever, I set the string to @"%@" and specify the actual string at the end in the ... section. That way, I don't have to tell my localizers to double their '%' signs in these five strings, or check the string for a '%' sign that some language might use in their translation of whatever the orginal '%'-less message might be.
>
> Definitely the right thing to do. In general, using any non-constant string as a format argument to a printf-like function is dangerous. There’s an optional compiler warning that will detect such occurrences (I think it’s -Wformat-security, or something similar to that.)

 I think "constant" is a bad choice of criterion. It depends on whether the source of the string is trustworthy and can be intercepted. Depending on your interpretation, the result of NSLocalizedString is constant (for the runtime of your program) or non-constant (it actually gets loaded from a file at startup, into dynamically allocated memory).

 If your translator hasn't been made aware of which strings are format strings, they don't know to watch their percent signs.

> About five years ago there was a hacker/security group that was calling attention to the lax state of security in Mac apps by releasing a zero-day vulnerability once a week or so. I kept track, and a scary-high fraction of these were format-string exploits, where an attacker can present the app with a string containing a ‘%’ character and either crash it or make it behave improperly.


"One exploit a day" or something like that ... ? Yeah, I vaguely remember.

Cheers,
-- Uli Kusterer
"The Witnesses of TeachText are everywhere..."
http://www.masters-of-the-void.com




_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Odd display of percent character (From: Chris Paveglio <email@hidden>)
 >Re: Odd display of percent character (From: Keary Suska <email@hidden>)
 >Re: Odd display of percent character (From: Uli Kusterer <email@hidden>)

  • Prev by Date: Re: copy & isEqual nightmares
  • Next by Date: IKPictureTaker crash
  • Previous by thread: Re: Odd display of percent character
  • Next by thread: Re: Odd display of percent character
  • Index(es):
    • Date
    • Thread