[cfe-dev] RFC: default to -Werror=format-security
Aaron Ballman via cfe-dev
cfe-dev at lists.llvm.org
Wed Feb 17 13:08:10 PST 2016
On Wed, Feb 17, 2016 at 4:03 PM, Sean Silva <chisophugis at gmail.com> wrote:
>
>
> On Wed, Feb 17, 2016 at 5:27 AM, Aaron Ballman via cfe-dev
> <cfe-dev at lists.llvm.org> wrote:
>>
>> On Wed, Feb 17, 2016 at 3:48 AM, David Chisnall
>> <David.Chisnall at cl.cam.ac.uk> wrote:
>> > On 16 Feb 2016, at 21:56, Aaron Ballman via cfe-dev
>> > <cfe-dev at lists.llvm.org> wrote:
>> >>
>> >> Sorry, but printf(fmt); is *always* a true positive in my book. Same
>> >> with failing to return from all code paths. (etc)
>> >
>> > You are wrong. The most common reason for printf(fmt) to appear is that
>> > fmt is the result of doing a lookup of the locale-aware version of some
>> > constant string. In this case, the contents of fmt is entirely under the
>> > control of whoever shipped the application, and will have been checked for
>> > format string vulnerabilities by the localisation tools (at least, assuming
>> > that the original that is being translated are free from vulnerabilities).
>> > If you are not doing any caching in the application, then you can mark the
>> > translation function with the attribute that indicates that its input and
>> > output have the same format string compatibility. If you are caching, then
>> > there is no easy way of silencing this warning.
>> >
>> > Making this an error will cause valid and correct code to fail to
>> > compile and will result in people simply disabling the warning, rather than
>> > checking it.
>>
>> If the expected string does not have any format specifiers, then
>> printf("%s", fmt) is definitely the correct way to write that because
>> the assumption "entirely under the control of whoever shipped the
>> application" is a poor one. If it does have format specifiers, I agree
>> that we should not err, but I don't believe that was on the table.
>
>
> I think David is talking about a situation where it is e.g.
>
> printf(translate("Please enter a number from %d-%d\n"), lo, hi);
I think I may have misunderstood the original suggestion. I was under
the impression that printf(fmt); was error-worthy, not printf(fmt,
params);. I agree with David that turning the latter into an error
would break reasonable code.
~Aaron
More information about the cfe-dev
mailing list