[cfe-dev] RFC: default to -Werror=format-security
Nico Weber via cfe-dev
cfe-dev at lists.llvm.org
Tue Feb 16 11:18:07 PST 2016
On Mon, Feb 15, 2016 at 6:04 PM, Bob Wilson via cfe-dev <
cfe-dev at lists.llvm.org> wrote:
> We’ve had a number of requests to make the format-security warning default
> to an error. This warning complains about a printf-like format string that
> is not a literal string and is used without any arguments. E.G.:
>
> format-security.c:4:10: warning: format string is not a string literal
> (potentially insecure) [-Wformat-security]
> printf(fmt);
> ^~~
> 1 warning generated.
>
> For background, if the format string can be controlled by external input,
> the security risk is that it could contain “%” characters and be used to
> clobber memory. The alternative is to use a fixed “%s” format, e.g.,
> printf(“%s”, fmt).
>
> This catches real-world security holes, but sometimes people don’t pay
> attention to warnings
Won't this line of reasoning lead to all useful warnings being in -Werror
eventually? Say, forgetting a return statement in a function is also "just"
a warning...
> . Promoting this warning to an error by default would get people’s
> attention and help motivate them to fix their code. But, the obvious
> downside is that it could be disruptive. Existing code might fail to build
> and would either require source code fixes or build changes to specify
> -Wno-error=format-security.
>
> Opinions?
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160216/21fb4c26/attachment.html>
More information about the cfe-dev
mailing list