From 6a742f8d345986a2246dfab7c089213ae4700c9c Mon Sep 17 00:00:00 2001 From: Christoph Oelckers Date: Wed, 20 Feb 2019 20:20:06 +0100 Subject: [PATCH] - changed all places which used a localized string as a format template for printf, String.Format et.al. Passing something non-constant at compile time here is extremely dangerous, especially when users can replace those strings if they like. It now uses FString::Substitute in all cases where something needs to be inserted into a template string. --- src/menu/messagebox.cpp | 8 ++++---- wadsrc/static/zscript/menu/conversationmenu.txt | 8 ++++++-- wadsrc/static/zscript/menu/optionmenu.txt | 7 ++++--- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/src/menu/messagebox.cpp b/src/menu/messagebox.cpp index e20553673..8a2335fa7 100644 --- a/src/menu/messagebox.cpp +++ b/src/menu/messagebox.cpp @@ -191,8 +191,8 @@ CCMD (quicksave) S_Sound(CHAN_VOICE | CHAN_UI, "menu/activate", snd_menuvolume, ATTN_NONE); - FString tempstring; - tempstring.Format(GStrings("QSPROMPT"), savegameManager.quickSaveSlot->SaveTitle.GetChars()); + FString tempstring = GStrings("QSPROMPT"); + tempstring.Substitute("%s", savegameManager.quickSaveSlot->SaveTitle.GetChars()); DMenu *newmenu = CreateMessageBoxMenu(CurrentMenu, tempstring, 0, false, NAME_None, []() { @@ -234,8 +234,8 @@ CCMD (quickload) G_LoadGame(savegameManager.quickSaveSlot->Filename.GetChars()); return; } - FString tempstring; - tempstring.Format(GStrings("QLPROMPT"), savegameManager.quickSaveSlot->SaveTitle.GetChars()); + FString tempstring = GStrings("QLPROMPT"); + tempstring.Substitute("%s", savegameManager.quickSaveSlot->SaveTitle.GetChars()); M_StartControlPanel(true); diff --git a/wadsrc/static/zscript/menu/conversationmenu.txt b/wadsrc/static/zscript/menu/conversationmenu.txt index 02201a0dd..dccfc6566 100644 --- a/wadsrc/static/zscript/menu/conversationmenu.txt +++ b/wadsrc/static/zscript/menu/conversationmenu.txt @@ -137,8 +137,12 @@ class ConversationMenu : Menu mShowGold |= reply.NeedsGold; let ReplyText = Stringtable.Localize(reply.Reply); - if (reply.NeedsGold) ReplyText.AppendFormat(Stringtable.Localize("$TXT_TRADE"), reply.PrintAmount); - + if (reply.NeedsGold) + { + let trade = Stringtable.Localize("$TXT_TRADE"); + let amount = String.Format("%u", reply.PrintAmount); + trade.Replace("%u", amount); + } let ReplyLines = SmallFont.BreakLines (ReplyText, ReplyWidth); mResponses.Push(mResponseLines.Size()); diff --git a/wadsrc/static/zscript/menu/optionmenu.txt b/wadsrc/static/zscript/menu/optionmenu.txt index 10bd91140..659830827 100644 --- a/wadsrc/static/zscript/menu/optionmenu.txt +++ b/wadsrc/static/zscript/menu/optionmenu.txt @@ -583,11 +583,12 @@ class GLTextureGLOptions : OptionMenu { int multiplier = gl_texture_hqresizemult * gl_texture_hqresizemult; - string localized = StringTable.Localize("$GLTEXMNU_HQRESIZEWARN"); - message = String.Format(localized, multiplier); + message = StringTable.Localize("$GLTEXMNU_HQRESIZEWARN"); + string mult = String.Format("%d", multiplier); + message.Replace("%d", mult); } - mDesc.mItems[mWarningIndex].mLabel = message; + mDesc.mItems[mWarningIndex].mLabel = Font.TEXTCOLOR_CYAN .. message; } } }