[cfe-dev] RFC: default to -Werror=format-security
David Blaikie via cfe-dev
cfe-dev at lists.llvm.org
Tue Feb 16 11:01:44 PST 2016
What other warnings do we default to error? Do we seem to have any (defacto
or explicit) guideline for deciding?
On Mon, Feb 15, 2016 at 6:04 PM, Bob Wilson via cfe-dev <
cfe-dev at lists.llvm.org> wrote:
> We’ve had a number of requests to make the format-security warning default
> to an error. This warning complains about a printf-like format string that
> is not a literal string and is used without any arguments. E.G.:
>
> format-security.c:4:10: warning: format string is not a string literal
> (potentially insecure) [-Wformat-security]
> printf(fmt);
> ^~~
> 1 warning generated.
>
> For background, if the format string can be controlled by external input,
> the security risk is that it could contain “%” characters and be used to
> clobber memory. The alternative is to use a fixed “%s” format, e.g.,
> printf(“%s”, fmt).
>
> This catches real-world security holes, but sometimes people don’t pay
> attention to warnings. Promoting this warning to an error by default would
> get people’s attention and help motivate them to fix their code. But, the
> obvious downside is that it could be disruptive. Existing code might fail
> to build and would either require source code fixes or build changes to
> specify -Wno-error=format-security.
>
> Opinions?
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160216/711403b4/attachment.html>
More information about the cfe-dev
mailing list