From 0a1f96f5e938f465ffd78e44a40f0766d35bd8c9 Mon Sep 17 00:00:00 2001
From: jsm28 <jsm28@138bc75d-0d04-0410-961f-82ee72b054a4>
Date: Thu, 7 Dec 2000 07:56:44 +0000
Subject: [PATCH] 	* c-common.c (warn_format_security): New variable. 
 (check_format_info): Warn about non-literal formats with no format 
 arguments if either -Wformat-nonliteral or -Wformat-security is 
 specified. 	(set_Wformat): Set warn_format_security for settings other
 than 1. 	* c-common.h (warn_format_security): Declare. 	* c-decl.c
 (c_decode_option): Decode -Wformat-security and 	-Wno-format-security. 
 * invoke.texi: Document -Wformat-security. 	* toplev.c
 (documented_lang_options): Include -Wformat-security 	and
 -Wno-format-security.

cp:
	* decl2.c (lang_decode_option): Handle -Wformat-security.

testsuite:
	* format-sec-1.c: New test.


git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@38106 138bc75d-0d04-0410-961f-82ee72b054a4
---
 gcc/ChangeLog                       | 14 ++++++++++++++
 gcc/c-common.c                      | 11 +++++++++--
 gcc/c-common.h                      |  4 ++++
 gcc/c-decl.c                        |  4 ++++
 gcc/cp/ChangeLog                    |  4 ++++
 gcc/cp/decl2.c                      |  2 ++
 gcc/invoke.texi                     | 20 ++++++++++++++++----
 gcc/testsuite/ChangeLog             |  4 ++++
 gcc/testsuite/gcc.dg/format-sec-1.c | 12 ++++++++++++
 gcc/toplev.c                        |  3 +++
 10 files changed, 72 insertions(+), 6 deletions(-)
 create mode 100644 gcc/testsuite/gcc.dg/format-sec-1.c

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index ab777ca90b2..cdd755854b6 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,5 +1,19 @@
 2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>
 
+	* c-common.c (warn_format_security): New variable.
+	(check_format_info): Warn about non-literal formats with no format
+	arguments if either -Wformat-nonliteral or -Wformat-security is
+	specified.
+	(set_Wformat): Set warn_format_security for settings other than 1.
+	* c-common.h (warn_format_security): Declare.
+	* c-decl.c (c_decode_option): Decode -Wformat-security and
+	-Wno-format-security.
+	* invoke.texi: Document -Wformat-security.
+	* toplev.c (documented_lang_options): Include -Wformat-security
+	and -Wno-format-security.
+
+2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>
+
 	* c-common.c (check_format_info): Warn for non-constant format
 	strings with strftime formats if -Wformat-nonliteral.  Where the
 	format can convert arguments, if the format is not a string
diff --git a/gcc/c-common.c b/gcc/c-common.c
index 5e7666a08b3..2baba027a1f 100644
--- a/gcc/c-common.c
+++ b/gcc/c-common.c
@@ -193,6 +193,10 @@ int warn_format_extra_args;
 
 int warn_format_nonliteral;
 
+/* Warn about possible security problems with calls to format functions.  */
+
+int warn_format_security;
+
 /* Nonzero means warn about possible violations of sequence point rules.  */
 
 int warn_sequence_point;
@@ -2363,7 +2367,7 @@ check_format_info (status, info, params)
 	      params = TREE_CHAIN (params);
 	      ++arg_num;
 	    }
-	  if (params == 0 && warn_format_nonliteral)
+	  if (params == 0 && (warn_format_nonliteral || warn_format_security))
 	    status_warning (status, "format not a string literal and no format arguments");
 	  else if (warn_format_nonliteral)
 	    status_warning (status, "format not a string literal, argument types not checked");
@@ -3401,7 +3405,10 @@ set_Wformat (setting)
   warn_format_y2k = setting;
   warn_format_extra_args = setting;
   if (setting != 1)
-    warn_format_nonliteral = setting;
+    {
+      warn_format_nonliteral = setting;
+      warn_format_security = setting;
+    }
 }
 
 /* Print a warning if a constant expression had overflow in folding.
diff --git a/gcc/c-common.h b/gcc/c-common.h
index 7ada2128cfd..437d95dcc3c 100644
--- a/gcc/c-common.h
+++ b/gcc/c-common.h
@@ -361,6 +361,10 @@ extern int warn_format_extra_args;
 
 extern int warn_format_nonliteral;
 
+/* Warn about possible security problems with calls to format functions.  */
+
+extern int warn_format_security;
+
 /* Warn about possible violations of sequence point rules.  */
 
 extern int warn_sequence_point;
diff --git a/gcc/c-decl.c b/gcc/c-decl.c
index 4f1142a925b..4776cd693d0 100644
--- a/gcc/c-decl.c
+++ b/gcc/c-decl.c
@@ -719,6 +719,10 @@ c_decode_option (argc, argv)
     warn_format_nonliteral = 1;
   else if (!strcmp (p, "-Wno-format-nonliteral"))
     warn_format_nonliteral = 0;
+  else if (!strcmp (p, "-Wformat-security"))
+    warn_format_security = 1;
+  else if (!strcmp (p, "-Wno-format-security"))
+    warn_format_security = 0;
   else if (!strcmp (p, "-Wchar-subscripts"))
     warn_char_subscripts = 1;
   else if (!strcmp (p, "-Wno-char-subscripts"))
diff --git a/gcc/cp/ChangeLog b/gcc/cp/ChangeLog
index 49c3d64f856..9bd55899a61 100644
--- a/gcc/cp/ChangeLog
+++ b/gcc/cp/ChangeLog
@@ -1,3 +1,7 @@
+2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>
+
+	* decl2.c (lang_decode_option): Handle -Wformat-security.
+
 2000-12-06  Kriang Lerdsuwanakij  <lerdsuwa@users.sourceforge.net>
 
 	* pt.c (verify_class_unification): New function.
diff --git a/gcc/cp/decl2.c b/gcc/cp/decl2.c
index 99e5591038f..2d14ab54f0f 100644
--- a/gcc/cp/decl2.c
+++ b/gcc/cp/decl2.c
@@ -726,6 +726,8 @@ lang_decode_option (argc, argv)
 	warn_format_extra_args = setting;
       else if (!strcmp (p, "format-nonliteral"))
 	warn_format_nonliteral = setting;
+      else if (!strcmp (p, "format-security"))
+	warn_format_security = setting;
       else if (!strcmp (p, "missing-format-attribute"))
 	warn_missing_format_attribute = setting;
       else if (!strcmp (p, "conversion"))
diff --git a/gcc/invoke.texi b/gcc/invoke.texi
index 13a5594a3a4..c9dc324ba85 100644
--- a/gcc/invoke.texi
+++ b/gcc/invoke.texi
@@ -190,7 +190,7 @@ in the following sections.
 -Wcast-align  -Wcast-qual  -Wchar-subscripts  -Wcomment
 -Wconversion  -Wdisabled-optimization -Werror
 -Wfloat-equal  -Wformat  -Wformat=2
--Wformat-nonliteral
+-Wformat-nonliteral -Wformat-security
 -Wid-clash-@var{len}  -Wimplicit -Wimplicit-int 
 -Wimplicit-function-declaration
 -Werror-implicit-function-declaration
@@ -1610,8 +1610,9 @@ Controlling C Dialect}.
 
 @samp{-Wformat} is included in @samp{-Wall}.  For more control over some
 aspects of format checking, the options @samp{-Wno-format-y2k},
-@samp{-Wno-format-extra-args}, @samp{-Wformat-nonliteral} and
-@samp{-Wformat=2} are available, but are not included in @samp{-Wall}.
+@samp{-Wno-format-extra-args}, @samp{-Wformat-nonliteral},
+@samp{-Wformat-security} and @samp{-Wformat=2} are available, but are
+not included in @samp{-Wall}.
 
 @item -Wno-format-y2k
 If @samp{-Wformat} is specified, do not warn about @code{strftime}
@@ -1627,10 +1628,21 @@ If @samp{-Wformat} is specified, also warn if the format string is not a
 string literal and so cannot be checked, unless the format function
 takes its format arguments as a @code{va_list}.
 
+@item -Wformat-security
+If @samp{-Wformat} is specified, also warn about uses of format
+functions that represent possible security problems.  At present, this
+warns about calls to @code{printf} and @code{scanf} functions where the
+format string is not a string literal and there are no format arguments,
+as in @code{printf (foo);}.  This may be a security hole if the format
+string came from untrusted input and contains @samp{%n}.  (This is
+currently a subset of what @samp{-Wformat-nonliteral} warns about, but
+in future warnings may be added to @samp{-Wformat-security} that are not
+included in @samp{-Wformat-nonliteral}.)
+
 @item -Wformat=2
 Enable @samp{-Wformat} plus format checks not included in
 @samp{-Wformat}.  Currently equivalent to @samp{-Wformat
--Wformat-nonliteral}.
+-Wformat-nonliteral -Wformat-security}.
 
 @item -Wimplicit-int
 Warn when a declaration does not specify a type.
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index d5974942aaa..0a2417cd737 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,5 +1,9 @@
 2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>
 
+	* format-sec-1.c: New test.
+
+2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>
+
 	* gcc.dg/format-nonlit-3.c: New test.
 
 2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>
diff --git a/gcc/testsuite/gcc.dg/format-sec-1.c b/gcc/testsuite/gcc.dg/format-sec-1.c
new file mode 100644
index 00000000000..5ca4905d1be
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/format-sec-1.c
@@ -0,0 +1,12 @@
+/* Test for security warning when non-literal format has no arguments.  */
+/* Origin: Joseph Myers <jsm28@cam.ac.uk> */
+/* { dg-do compile } */
+/* { dg-options "-std=gnu99 -Wformat -Wformat-security" } */
+
+extern int printf (const char *, ...);
+
+void
+foo (char *s)
+{
+  printf (s); /* { dg-warning "no format arguments" "security warning" } */
+}
diff --git a/gcc/toplev.c b/gcc/toplev.c
index e79aec10283..6407e8a2e94 100644
--- a/gcc/toplev.c
+++ b/gcc/toplev.c
@@ -1236,6 +1236,9 @@ documented_lang_options[] =
     "Don't warn about too many arguments to format functions" },
   { "-Wformat-nonliteral", "Warn about non-string-literal format strings" },
   { "-Wno-format-nonliteral", "" },
+  { "-Wformat-security",
+    "Warn about possible security problems with format functions" },
+  { "-Wno-format-security", "" },
   { "-Wimplicit-function-declaration",
     "Warn about implicit function declarations" },
   { "-Wno-implicit-function-declaration", "" },
-- 
2.11.4.GIT