diff --git a/docs/labs/format-strings.html b/docs/labs/format-strings.html new file mode 100644 index 00000000..7c338eb6 --- /dev/null +++ b/docs/labs/format-strings.html @@ -0,0 +1,136 @@ + + +
+ + + + + + + + + + + + + + + + + + ++This is a lab exercise on developing secure software. +For more information, see the introduction to +the labs. + +
+
+Practice using string templates in a secure way. + +
+
+In this exercise, we'll adjust our string formatting so that it doesn't allow a user to control +the +format string. If a user can control the format string they can access +variables which they shouldn't. Particularly if those variable's values can be returned to the user +as output, it could lead to information disclosure beyond what was intended by the developer. + +
+
+ +
+Please change the code below so the string formatting cannot disclose arbitrary +program values. The server-side program is written in Python and allows a user to specify a +format string to control the output format of an event. + +
+You could adjust the program so that it only formats the event, and does not include any user input, +However it is considered safe to include user input in the output as long as they cannot control +the format string itself. + +
+Adjust the value returned by the format_event function so the the user controlled +user_input variable is only used as a +replacement field +and is not used as the format string. + +
+Use the “hint” and “give up” buttons if necessary. + +
+
+
+