[cfe-dev] RFC: default to -Werror=format-security
Bob Wilson via cfe-dev
cfe-dev at lists.llvm.org
Mon Feb 15 18:04:30 PST 2016
We’ve had a number of requests to make the format-security warning default to an error. This warning complains about a printf-like format string that is not a literal string and is used without any arguments. E.G.:
format-security.c:4:10: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
printf(fmt);
^~~
1 warning generated.
For background, if the format string can be controlled by external input, the security risk is that it could contain “%” characters and be used to clobber memory. The alternative is to use a fixed “%s” format, e.g., printf(“%s”, fmt).
This catches real-world security holes, but sometimes people don’t pay attention to warnings. Promoting this warning to an error by default would get people’s attention and help motivate them to fix their code. But, the obvious downside is that it could be disruptive. Existing code might fail to build and would either require source code fixes or build changes to specify -Wno-error=format-security.
Opinions?
More information about the cfe-dev
mailing list