[cfe-dev] RFC: default to -Werror=format-security

Sean Silva via cfe-dev cfe-dev at lists.llvm.org
Wed Feb 17 13:03:06 PST 2016 

On Wed, Feb 17, 2016 at 5:27 AM, Aaron Ballman via cfe-dev <
cfe-dev at lists.llvm.org> wrote:

> On Wed, Feb 17, 2016 at 3:48 AM, David Chisnall
> <David.Chisnall at cl.cam.ac.uk> wrote:
> > On 16 Feb 2016, at 21:56, Aaron Ballman via cfe-dev <
> cfe-dev at lists.llvm.org> wrote:
> >>
> >> Sorry, but printf(fmt); is *always* a true positive in my book. Same
> >> with failing to return from all code paths. (etc)
> >
> > You are wrong.  The most common reason for printf(fmt) to appear is that
> fmt is the result of doing a lookup of the locale-aware version of some
> constant string.  In this case, the contents of fmt is entirely under the
> control of whoever shipped the application, and will have been checked for
> format string vulnerabilities by the localisation tools (at least, assuming
> that the original that is being translated are free from vulnerabilities).
> If you are not doing any caching in the application, then you can mark the
> translation function with the attribute that indicates that its input and
> output have the same format string compatibility.  If you are caching, then
> there is no easy way of silencing this warning.
> >
> > Making this an error will cause valid and correct code to fail to
> compile and will result in people simply disabling the warning, rather than
> checking it.
>
> If the expected string does not have any format specifiers, then
> printf("%s", fmt) is definitely the correct way to write that because
> the assumption "entirely under the control of whoever shipped the
> application" is a poor one. If it does have format specifiers, I agree
> that we should not err, but I don't believe that was on the table.
>

I think David is talking about a situation where it is e.g.

printf(translate("Please enter a number from %d-%d\n"), lo, hi);

-- Sean Silva


>
> ~Aaron
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160217/cb00119e/attachment.html>

More information about the cfe-dev mailing list