CODEWITHSUNDEEP
xcode5sparkle
DaPhil
DaPhil

Reputation: 1589

Sparkle in Xcode 5

I have an issue adding the sparkle framework in Xcode 5. It is essentially described in this post. The problem is that sparkle is not copied to the frameworks folder. The solution is to download the source code, change some settings and build it yourself. But: During building I get an error:

NSAlert *alert = [NSAlert alertWithMessageText:SULocalizedString(@"Update Error!", nil) defaultButton:SULocalizedString(@"Cancel Update", nil) alternateButton:nil otherButton:nil informativeTextWithFormat:[error localizedDescription]];

produces

Format string is not a string literal (potentially insecure)

and I can't figure out how to fix this. Can anyone help?

Upvotes: 1

Views: 451

Answers (1)

RichS
RichS

Reputation: 3147

I faced the same problem today. The change is pretty simple.

Change:

NSAlert *alert = [NSAlert alertWithMessageText:SULocalizedString(@"Update Error!", nil)
                                 defaultButton:SULocalizedString(@"Cancel Update", nil)
                               alternateButton:nil
                                   otherButton:nil
                     informativeTextWithFormat:[error localizedDescription]];

To:

NSAlert *alert = [NSAlert alertWithMessageText:SULocalizedString(@"Update Error!", nil)
                                 defaultButton:SULocalizedString(@"Cancel Update", nil)
                               alternateButton:nil
                                   otherButton:nil
                     informativeTextWithFormat:@"%@", [error localizedDescription]];

The explanation, in case you are interested, is that the informativeTextWithFormat is actually the start of a variable argument list, of which the first parameter is the format string, and the subsequent ones are the inputs to that format. The error is because the format is from a runtime string (rather than a compile time constant string), and therefore it is not possible to validate it at compile time - a malicious user could (somehow) alter the format string, at runtime, to execute malicious code from within this app.

It is the same as the difference between:

NSLog([error localizatedDescription]);

And:

NSLog( @"%@", [error localizatedDescription]);

Hope this helps.

Upvotes: 4

Related Questions