本文介绍了代码问题:格式字符串不是字符串文字的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在这行代码中遇到以下问题。

I am getting the following issue for this line of code.

格式字符串不是字符串文字(可能不安全)

"Format string is not a string literal (potentially insecure)"

NSLog([NSString stringWithFormat:@"%@", entered]);

有什么建议吗?

推荐答案

编译器希望我们为格式字符串( NSLog 的第一个参数)使用NSString常量,因为它阻止了一个相当着名的漏洞利用可能会违反安全性。例如,您可以更改您发布的代码,以保持编译器满意:

The compiler wants us to use an NSString constant for the format string (the first argument to NSLog) because it prevents a fairly well-known exploit that could potentially violate security. So for example, you could change the code you posted as follows to keep the compiler happy:

NSLog(@"%@", [NSString stringWithFormat:@"%@", entered]);

编辑

当然,上面的内容可以(而且应该)简单地写成如下:

And of course, the above could (and should) simply be written as follows:

NSLog(@"%@", entered);

安全漏洞的性质

一个典型的漏洞利用
使用这些技术的组合来强制程序覆盖
的库函数地址或者返回地址。使用指向某些恶意shellcode的指针堆栈

格式说明符的填充参数用于控制输出的字节数,
%x 标记用于从堆栈中弹出字节,直到到达格式字符串本身的
开头。格式字符串
的开头是精心设计的,以包含%n 格式标记然后
覆盖恶意代码地址的地址执行。

A typical exploit uses a combination of these techniques to force a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious shellcode. The padding parameters to format specifiers are used to control the number of bytes output and the %x token is used to pop bytes from the stack until the beginning of the format string itself is reached. The start of the format string is crafted to contain the address that the %n format token can then overwrite with the address of the malicious code to execute.

来源:维基百科

[1]:CWE-134:不受控制的格式字符串。常见的弱点列举。 MITER。

[1]: http://cwe.mitre.org/data/definitions/134.html "CWE-134: Uncontrolled Format String". Common Weakness Enumeration. MITRE.

这篇关于代码问题:格式字符串不是字符串文字的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-31 02:48