[cfe-dev] RFC: default to -Werror=format-security
David Blaikie via cfe-dev
cfe-dev at lists.llvm.org
Fri Feb 19 08:10:50 PST 2016
On Wed, Feb 17, 2016 at 1:10 PM, Craig, Ben via cfe-dev <
cfe-dev at lists.llvm.org> wrote:
> On 2/17/2016 3:03 PM, Sean Silva via cfe-dev wrote:
>
> On Wed, Feb 17, 2016 at 5:27 AM, Aaron Ballman via cfe-dev <
> cfe-dev at lists.llvm.org> wrote:
>
>> On Wed, Feb 17, 2016 at 3:48 AM, David Chisnall
>> <David.Chisnall at cl.cam.ac.uk> wrote:
>> > On 16 Feb 2016, at 21:56, Aaron Ballman via cfe-dev <
>> cfe-dev at lists.llvm.org> wrote:
>> >>
>> >> Sorry, but printf(fmt); is *always* a true positive in my book. Same
>> >> with failing to return from all code paths. (etc)
>> >
>> > You are wrong. The most common reason for printf(fmt) to appear is
>> that fmt is the result of doing a lookup of the locale-aware version of
>> some constant string. In this case, the contents of fmt is entirely under
>> the control of whoever shipped the application, and will have been checked
>> for format string vulnerabilities by the localisation tools (at least,
>> assuming that the original that is being translated are free from
>> vulnerabilities). If you are not doing any caching in the application,
>> then you can mark the translation function with the attribute that
>> indicates that its input and output have the same format string
>> compatibility. If you are caching, then there is no easy way of silencing
>> this warning.
>> >
>> > Making this an error will cause valid and correct code to fail to
>> compile and will result in people simply disabling the warning, rather than
>> checking it.
>>
>> If the expected string does not have any format specifiers, then
>> printf("%s", fmt) is definitely the correct way to write that because
>> the assumption "entirely under the control of whoever shipped the
>> application" is a poor one. If it does have format specifiers, I agree
>> that we should not err, but I don't believe that was on the table.
>>
>
> I think David is talking about a situation where it is e.g.
>
> printf(translate("Please enter a number from %d-%d\n"), lo, hi);
>
>
> Note from the original post:
> "This warning complains about a printf-like format string that is not
> a literal string and is used without any arguments."
> That means that 'printf(translate("Please press OK to continue"));' would
> trigger this warning (rightfully). But the example you gave would not
> trigger the warning, as the invocation has extra 'lo' and 'hi' arguments.
>
Even in the case of a single argument to printf, I think an idiom like
translation could apply - it would seem plausible that a translation
dictionary would have strings in a consistent format, and that format would
be printf-escaped text, rather than only having strings with placeholders
be printf-escaped. So it would make sense to always printf a translated
string, I would think.
>
>
> -- Sean Silva
>
>
>>
>> ~Aaron
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at lists.llvm.org
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>
>
>
>
> _______________________________________________
> cfe-dev mailing listcfe-dev at lists.llvm.orghttp://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
>
> --
> Employee of Qualcomm Innovation Center, Inc.
> Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160219/27196c16/attachment.html>
More information about the cfe-dev
mailing list