I would like to provide a user with access to writing their own format specifier. I know that in some languages like C that there is a format specifier attack.
Are there any attacks against format specifiers in Perl for calling functions like sprintf
and allowing the user to provide the format specifier?
In this example, can you contrive anything in $unsafe_data
that would be unsafe in Perl?
return sprintf($unsafe_data, $internal_value);
CodePudding user response:
There are potentially unwanted effects.
%n
can be used to modify the arguments.Long strings can be generated.
Can cause performance issues. Can result in brutal termination.
Warnings can be generated.
Noise. Exception if warnings are made fatal.
Internal representation of scalars can be changed (e.g. by formatting
"abc"
using%d
).Probably harmless, but could have subtle effects.