New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
String manipulation security: Remove snprintf with user defined formatting options. #4621
Comments
Removing this feature is likely to just push it into the application code, for the applications that already use it. And it is a non-issue for most applications. Leaving it in, makes it easy for applications to expose this security vulnerability to the end-user. But how much of an issue is this? I think this issue should be a low priority. |
This issue only applies to The least we could do is add a warning/note to In the future, we could maybe replace it with a C++20 std::format based implementation. |
Depends, in user's application code, it might be a compile-time constant.
Yes, only one I see too. And the only warnings here too: https://open.cdash.org/viewBuildError.php?type=1&buildid=9579695
How would that help? |
Correction: I should say Looking at
Could then (when using C++20) be replaced with something like:
|
Ah that looks promising. I guess it could even be done today, wrapped in |
Well, ideally yes. But the format of |
2 cents: For SimpleITK we did not expose these methods and pushed the generation or globing to scripting language. Other languages seem more expressive, and less error prone for these types of operations. |
I guess that will be easier from C++ too, when C++20 is available. |
Description
Allowing users to specify formatting strings at runtime is a well known exploitable code security vulnerability.
We currently suppress these warnings, but it would be better to re-write the codebase to avoid the security vulnerability all together.
Steps to Reproduce
Expected behavior
No warning suppression and no security vulnerability.
Actual behavior
When ITK_GCC_SUPPRESS_Wformat_nonliteral supression are disabled, warnings are issued.
Reproducibility
New compilers, and requesting -Wformat-nonliteral
Versions
Since the earliest versions of ITK to at least 2024-04-29
Additional Information
#4616 (comment)
The text was updated successfully, but these errors were encountered: