Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8214852

JShell tool vulnerable to printf format injection

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P4
    • Resolution: Duplicate
    • Affects Version/s: 11
    • Fix Version/s: None
    • Component/s: tools
    • Subcomponent:
    • CPU:
      x86_64
    • OS:
      generic

      Description

      A DESCRIPTION OF THE PROBLEM :
      The following line, typed at the JShell command, crashes the JShell tool: throw new Exception("%s").

      C:\tmp>jshell
      | Welcome to JShell -- Version 11.0.1
      | For an introduction type: /help intro

      jshell> throw new Exception("%s")
      | Exception java.lang.Exception: Exception in thread "main" java.util.MissingFormatArgumentException: Format specifier '%s'
              at java.base/java.util.Formatter.format(Formatter.java:2672)
              at java.base/java.io.PrintStream.format(PrintStream.java:1053)
              at java.base/java.io.PrintStream.printf(PrintStream.java:949)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.error(JShellTool.java:728)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.errormsg(JShellTool.java:867)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.displayEvalException(JShellTool.java:3451)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.displayException(JShellTool.java:3425)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.displayException(JShellTool.java:3418)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.handleEvent(JShellTool.java:3582)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.processSource(JShellTool.java:3550)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.processSourceCatchingReset(JShellTool.java:1301)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.processInput(JShellTool.java:1203)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.run(JShellTool.java:1176)
              at jdk.jshell/jdk.internal.jshell.tool.JShellTool.start(JShellTool.java:975)
              at jdk.jshell/jdk.internal.jshell.tool.JShellToolBuilder.start(JShellToolBuilder.java:254)
              at jdk.jshell/jdk.internal.jshell.tool.JShellToolProvider.main(JShellToolProvider.java:120)

      C:\tmp>

      This is not entirely contrived. Instead of `throw new Exception` the call that causes JShell to crash could be anything that throws an exception with a detail string that includes a format; for example, Paths.get("\"%s.txt\"") would throw an exception on Windows due to the illegal character, followed by the given path, which includes the "%" sign that causes JShell to crash.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Type the following line into JShell command line: throw new Exception("%s").

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The exception detail message should be printed and the JShell prompt should appear.
      ACTUAL -
      JShell crashes and returns you to the OS shell command prompt.

      CUSTOMER SUBMITTED WORKAROUND :
      Be careful not to pass a "%" to any method that may throw an exception with a detail string that includes the passed string. This may not always be possible.

      FREQUENCY : always


        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                pmangal Priyanka Mangal (Inactive)
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: