Is it safe to pass a string with unreliable formatting to string.Format?

Question

Is it safe to pass a string with unreliable formatting to string.Format?

Are there any security implications for passing string format string.Format
Could this lead to unexpected code execution? Could this lead to endless CPU or memory consumption?

Assume the following invalid entries:

Format string
All arguments (suppose they are primitive types, such as integers, strings, dates, etc. Of course, no types are provided by the user.)
Culture

Excluded exceptions are not a problem because it is easily handled.

+7

.net string-formatting

emcor Aug 08 '14 at 13:13

source share

1 answer

CodesInChaos · Answer 1 · 2014-08-08T13:39:23+0000

It is possible to create very long outputs with fairly small format strings. This can lead to performance problems and possibly even memory errors.

For example, string.Format("{0,9999999}",0) creates a string that consumes 20 MB of RAM. You can repeat this pattern to increase the size of the output further.

Is it safe to pass a string with unreliable formatting to string.Format?

More articles: