1Ara
Format string vulnerability in Java?
Can a non-sanitized user input result in a vulnerability if passed to System.out.printf
(Or any equivalent function that takes a format)?
Example:
public class Demo {
public static void main(String[] args) {
String userInput = "%n";
System.out.printf(userInput);
}
}
If this was C for example, that would be a huge security issue, however in Java, the only thing that can be done here is injecting a new line using "%n" ? Is there something I'm missing here?