I have read a bit about the security of printf() in C++.
Examples can be found e.g. here.
It left me wondering if fmt.Printf()
from golang is safe.
To be more specific if it is safe if the formatted string itself could be forged.
inputString := "String from user"
x := "test"
fmt.Printf(inputString, x, 15)
When trying to replicate the exploits from C++, golang does not seem to be vulnerable.
E.g. fmt.Printf("%s%s%s%s%s%s%s%s%s%s%s%s
")
does not crash the program in golang.
Such an analysis of course is no proof that this would be secure in golang. So i wanted to ask here: Have the developers of go foolproofed its printf function?
Edit: By foolproof I mean that it does not have any unexpected side effects. I would expect the resulting string to be totally compromised of course. I would not expect the user to be able to gain privileged information (like the content of variables not passed to printf), or the user to be able to write any memory (e.g. assign a new value to x).