Skip to content

Commit

Permalink
Fix printSecret bug when input contains fmt verb
Browse files Browse the repository at this point in the history 
The error occurs in the `printSecret` function when the `secret`
argument contains a `fmt` "verb" and the `noline` argument is set to
true.

```
func printSecret(secret string, noline bool) {
	log.WithField("noline", noline).Debug("print secret")
	if noline {
		fmt.Printf(secret) // secret parsed as format string
	} else {
		fmt.Println(secret)
	}
}
```

By using the `secret` argument as the first argument to `fmt.Printf` in
the `noline` branch of `printSecret`, `secret` is used as the format
specifier in `Printf`. Most possible inputs to `secret` will not see any
problems. With any input that happens to contain a `fmt` verb, however,
`Printf` will try to parse the input as containing verbs, then actually
format successive arguments to the function. As no successive arguments
are passed to `fmt.Printf`, the code reachs a "Too few arguments" error
case and produces incorrect output:

```
secret := mysupersecret%tlkajdsf
printSecret(secret, true)
=> mysupersecret%!t(MISSING)lkajdsf
```

Use `Print` instead of `Printf` to avoid parsing the input string as a
fmt verb.

More on `fmt` verbs and format errors:
https://golang.org/pkg/fmt/#hdr-Printing

More on `fmt.Print`:
https://golang.org/pkg/fmt/#Print
  • Loading branch information
@andrewmelis
andrewmelis committed Sep 26, 2017
1 parent 89b6b99 commit 291f7df
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion cmd/unicreds/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,7 @@ func printFatalError(err error) {
func printSecret(secret string, noline bool) {
log.WithField("noline", noline).Debug("print secret")
if noline {
fmt.Printf(secret)
fmt.Print(secret)
} else {
fmt.Println(secret)
}
Expand Down

0 comments on commit 291f7df

Please sign in to comment.