Why is printf with a single argument (without conversion specifiers) deprecated?

c security printf format-specifiers puts
StackUser picture StackUser · Jul 8, 2015 · Viewed 14.3k times · Source

In a book that I'm reading, it's written that printf with a single argument (without conversion specifiers) is deprecated. It recommends to substitute

printf("Hello World!");

with

puts("Hello World!");

or

printf("%s", "Hello World!");

Can someone tell me why printf("Hello World!"); is wrong? It is written in the book that it contains vulnerabilities. What are these vulnerabilities?

Answer

Jabberwocky picture Jabberwocky · Jul 8, 2015

printf("Hello World!"); is IMHO not vulnerable but consider this:

const char *str;
...
printf(str);

If str happens to point to a string containing %s format specifiers, your program will exhibit undefined behaviour (mostly a crash), whereas puts(str) will just display the string as is.

Example:

printf("%s");   //undefined behaviour (mostly crash)
puts("%s");     // displays "%s\n"

Related questions

Which of sprintf/snprintf is more secure?

I wish to know which of these two options is the more secure one to use: #define MAXLEN 255 char buff[MAXLEN + 1] sprintf(buff, "%.*s", MAXLEN, name) snprintf(buff, MAXLEN, "%s", name) My understanding is that both are same. Please suggest.

Read More
C - The %x format specifier

I have a small question. I know that the %x format specifier can be used to read values from the stack in a format string attack. I found the following code: %08x%08x%08x%08x What does the 08 mean? What …

Read More
How can a Format-String vulnerability be exploited?

I was reading about vulnerabilities in code and came across this Format-String Vulnerability. Wikipedia says: Format string bugs most commonly appear when a programmer wishes to print a string containing user supplied data. The programmer may mistakenly write printf(buffer) …

Read More