On Feb 14, 2012, at 5:38 AM, Uli Kusterer wrote: > In addition to this, whenever I do not actually need a format in a case like > NSRunAlertPanel or whatever, I set the string to @"%@" and specify the actual > string at the end in the ... section. That way, I don't have to tell my > localizers to double their '%' signs in these five strings, or check the > string for a '%' sign that some language might use in their translation of > whatever the orginal '%'-less message might be.
Definitely the right thing to do. In general, using any non-constant string as a format argument to a printf-like function is dangerous. There’s an optional compiler warning that will detect such occurrences (I think it’s -Wformat-security, or something similar to that.) About five years ago there was a hacker/security group that was calling attention to the lax state of security in Mac apps by releasing a zero-day vulnerability once a week or so. I kept track, and a scary-high fraction of these were format-string exploits, where an attacker can present the app with a string containing a ‘%’ character and either crash it or make it behave improperly. —Jens
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
