ansaurus

Question

Safely calling strftime with untrusted format string

Answer 1

+1 A:

If you are only interested in catching this error at certain times, you could temporarily replace the invalid parameter handler and then set it back once you have called Format.

_invalid_parameter_handler oldHandler = _set_invalid_parameter_handler(MyInvalidParameterHandler);

// Your try/Format/catch code here

_set_invalid_parameter_handler(oldHandler);

Of course, I suppose it is possible that if you have multiple threads in your program, another thread could end up calling your invalid parameter handler while it's set. You would have to determine how likely that is.

Other than writing your own validation function, I'm not sure how else you could do this.

Dustin 2010-02-24 14:16:49

Thank you for the suggestion. Unfortunately, my app is indeed multi-threaded, so I don't think I can safely toggle the handler back and forth. (The invalid parameter handler is global, rather than thread-specific.)

Eric Pi 2010-02-24 14:19:43

In that case, I believe that you will need to create your own validation function. It shouldn't be that hard. If you look in strftime.c in the CRT source code you will see a function called _expandtime. It contains a case statement for all of the supported format specifiers. You could use it as a basis for your function.

Dustin 2010-02-24 14:30:11

One possibility is to add your own invalid parameter handler that does nothing. The docs state that if control returns to the calling function it will return an error code.

Dustin 2010-02-24 15:24:34

I have validated that this does indeed work. In Debug builds you will still get break points due to assertions but in Release builds strftime will return 0 and errno will contain EINVAL.

Dustin 2010-02-24 15:32:32

Thanks, Dustin. I think a global handler that either does nothing (requiring callers to check errno) or throws an exception (requiring callers to catch) are both acceptable solutions.

Eric Pi 2010-02-24 15:40:09

Answer 2

A:

How about this verification:

 if (strftime(buffer, N, fmt_string, dummytime)) {
    // format string is ok, continue ...
 }

I assume that CTime::Format and strftime use the same format specifiers.

Nick D 2010-02-24 14:48:26

I don't think that will work as strftime will call the invalid parameter handler as described above if the format string is invalid. It suffers from the same issue as calling Format with a bad format string.

Dustin 2010-02-24 14:58:04

Thanks for the suggestion. However, under the covers, CTime::Format does indeed call (a variant of) strftime. It's actually strftime() itself which calls the invalid parameter handler. Therefore, the 'if' test in your example would (by default) exit the app, rather than evaluate false when given an invalid fmt_string.

Eric Pi 2010-02-24 15:02:34

@Dustin, @Eric: `strftime` returns `0` on failure. I tried it with wrong specifiers and it worked.

Nick D 2010-02-24 15:05:10

@Nick D: Which compiler / OS are you using? I just tried it with Visual Studio 2005 and it does indeed die/exit. I guess the real issue is that the behavior is undefined by the C standard.

Eric Pi 2010-02-24 15:16:26

@Nick D: I tried with VS2008 and it crashes in both Debug and Release.

Dustin 2010-02-24 15:22:34

@Dustin, @Eric: I tested it on VC++ 6.0 (gulp!) But this is a *weird* behavior for a format function, nevertheless.

Nick D 2010-02-24 16:30:10

ansaurus

tags:

views:

answers:

Safely calling strftime with untrusted format string

related questions