Tcl is immune to many "format string vulnerabilities"

"Exploiting Format String Vulnerabilities" [L1 ]

"Danger level rises for Perl app flaws" [L2 ]

"Format string attack" [L3 ]

"What is the advantage of Tcl over Perl"


schlenk The core may be safe against format string attacks, but each extension has to take care in using various of the C stdlib string functions to not become vulnerable. The Tcl library just makes the string handling much easier and safer then the basic C lib, so there are nearly no reasons to use many of those functions in a Tcl extension. This higher abstraction level can protect against those low level flaws, if used wisely.

DKF: The main source of those vulnerabilities is when the user is able to supply the format string as well as at least one of the arguments. However, Tcl does not use sprintf() on user-supplied formats, not even in the format command, and as such is immune to those sorts of problems. In addition, Tcl code that needs string formatting tends to use the format command instead of rolling its own (in part because getting it right for UTF-8 is tricky, and format has already solved things). The core does however use sprintf() quite a bit: it's just that the formats have always been sanitized, the buffers handled right, and the arguments are always correct. Paranoia does help sometimes.


AMG: Carelessly-written Tcl programs can be vulnerable to other sorts of injection attacks. Always brace your expr-essions!