* c-common.c (warn_format_security): New variable.
(check_format_info): Warn about non-literal formats with no format
arguments if either -Wformat-nonliteral or -Wformat-security is
specified.
(set_Wformat): Set warn_format_security for settings other than 1.
* c-common.h (warn_format_security): Declare.
* c-decl.c (c_decode_option): Decode -Wformat-security and
-Wno-format-security.
* invoke.texi: Document -Wformat-security.
* toplev.c (documented_lang_options): Include -Wformat-security
and -Wno-format-security.
cp:
* decl2.c (lang_decode_option): Handle -Wformat-security.
testsuite:
* format-sec-1.c: New test.
From-SVN: r38106
+2000-12-07 Joseph S. Myers <jsm28@cam.ac.uk>
+
+ * c-common.c (warn_format_security): New variable.
+ (check_format_info): Warn about non-literal formats with no format
+ arguments if either -Wformat-nonliteral or -Wformat-security is
+ specified.
+ (set_Wformat): Set warn_format_security for settings other than 1.
+ * c-common.h (warn_format_security): Declare.
+ * c-decl.c (c_decode_option): Decode -Wformat-security and
+ -Wno-format-security.
+ * invoke.texi: Document -Wformat-security.
+ * toplev.c (documented_lang_options): Include -Wformat-security
+ and -Wno-format-security.
+
2000-12-07 Joseph S. Myers <jsm28@cam.ac.uk>
* c-common.c (check_format_info): Warn for non-constant format
int warn_format_nonliteral;
+/* Warn about possible security problems with calls to format functions. */
+
+int warn_format_security;
+
/* Nonzero means warn about possible violations of sequence point rules. */
int warn_sequence_point;
params = TREE_CHAIN (params);
++arg_num;
}
- if (params == 0 && warn_format_nonliteral)
+ if (params == 0 && (warn_format_nonliteral || warn_format_security))
status_warning (status, "format not a string literal and no format arguments");
else if (warn_format_nonliteral)
status_warning (status, "format not a string literal, argument types not checked");
warn_format_y2k = setting;
warn_format_extra_args = setting;
if (setting != 1)
- warn_format_nonliteral = setting;
+ {
+ warn_format_nonliteral = setting;
+ warn_format_security = setting;
+ }
}
\f
/* Print a warning if a constant expression had overflow in folding.
extern int warn_format_nonliteral;
+/* Warn about possible security problems with calls to format functions. */
+
+extern int warn_format_security;
+
/* Warn about possible violations of sequence point rules. */
extern int warn_sequence_point;
warn_format_nonliteral = 1;
else if (!strcmp (p, "-Wno-format-nonliteral"))
warn_format_nonliteral = 0;
+ else if (!strcmp (p, "-Wformat-security"))
+ warn_format_security = 1;
+ else if (!strcmp (p, "-Wno-format-security"))
+ warn_format_security = 0;
else if (!strcmp (p, "-Wchar-subscripts"))
warn_char_subscripts = 1;
else if (!strcmp (p, "-Wno-char-subscripts"))
+2000-12-07 Joseph S. Myers <jsm28@cam.ac.uk>
+
+ * decl2.c (lang_decode_option): Handle -Wformat-security.
+
2000-12-06 Kriang Lerdsuwanakij <lerdsuwa@users.sourceforge.net>
* pt.c (verify_class_unification): New function.
warn_format_extra_args = setting;
else if (!strcmp (p, "format-nonliteral"))
warn_format_nonliteral = setting;
+ else if (!strcmp (p, "format-security"))
+ warn_format_security = setting;
else if (!strcmp (p, "missing-format-attribute"))
warn_missing_format_attribute = setting;
else if (!strcmp (p, "conversion"))
-Wcast-align -Wcast-qual -Wchar-subscripts -Wcomment
-Wconversion -Wdisabled-optimization -Werror
-Wfloat-equal -Wformat -Wformat=2
--Wformat-nonliteral
+-Wformat-nonliteral -Wformat-security
-Wid-clash-@var{len} -Wimplicit -Wimplicit-int
-Wimplicit-function-declaration
-Werror-implicit-function-declaration
@samp{-Wformat} is included in @samp{-Wall}. For more control over some
aspects of format checking, the options @samp{-Wno-format-y2k},
-@samp{-Wno-format-extra-args}, @samp{-Wformat-nonliteral} and
-@samp{-Wformat=2} are available, but are not included in @samp{-Wall}.
+@samp{-Wno-format-extra-args}, @samp{-Wformat-nonliteral},
+@samp{-Wformat-security} and @samp{-Wformat=2} are available, but are
+not included in @samp{-Wall}.
@item -Wno-format-y2k
If @samp{-Wformat} is specified, do not warn about @code{strftime}
string literal and so cannot be checked, unless the format function
takes its format arguments as a @code{va_list}.
+@item -Wformat-security
+If @samp{-Wformat} is specified, also warn about uses of format
+functions that represent possible security problems. At present, this
+warns about calls to @code{printf} and @code{scanf} functions where the
+format string is not a string literal and there are no format arguments,
+as in @code{printf (foo);}. This may be a security hole if the format
+string came from untrusted input and contains @samp{%n}. (This is
+currently a subset of what @samp{-Wformat-nonliteral} warns about, but
+in future warnings may be added to @samp{-Wformat-security} that are not
+included in @samp{-Wformat-nonliteral}.)
+
@item -Wformat=2
Enable @samp{-Wformat} plus format checks not included in
@samp{-Wformat}. Currently equivalent to @samp{-Wformat
--Wformat-nonliteral}.
+-Wformat-nonliteral -Wformat-security}.
@item -Wimplicit-int
Warn when a declaration does not specify a type.
+2000-12-07 Joseph S. Myers <jsm28@cam.ac.uk>
+
+ * format-sec-1.c: New test.
+
2000-12-07 Joseph S. Myers <jsm28@cam.ac.uk>
* gcc.dg/format-nonlit-3.c: New test.
--- /dev/null
+/* Test for security warning when non-literal format has no arguments. */
+/* Origin: Joseph Myers <jsm28@cam.ac.uk> */
+/* { dg-do compile } */
+/* { dg-options "-std=gnu99 -Wformat -Wformat-security" } */
+
+extern int printf (const char *, ...);
+
+void
+foo (char *s)
+{
+ printf (s); /* { dg-warning "no format arguments" "security warning" } */
+}
"Don't warn about too many arguments to format functions" },
{ "-Wformat-nonliteral", "Warn about non-string-literal format strings" },
{ "-Wno-format-nonliteral", "" },
+ { "-Wformat-security",
+ "Warn about possible security problems with format functions" },
+ { "-Wno-format-security", "" },
{ "-Wimplicit-function-declaration",
"Warn about implicit function declarations" },
{ "-Wno-implicit-function-declaration", "" },
projects / thirdparty / gcc.git / commitdiff
