-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gh-101703: use PyOS_snprintf
instead of sprintf
#101729
Conversation
38f8e7d
to
b33fb2d
Compare
Ok, the first part with constant sized elements is done. Now, more complex ones. |
Looks like we have |
Almost done! There are a couple left, but I don't quite understand the code and I will highly appreciate help / advice on these cases:
|
@Yhg1s @gvanrossum it is ready to be reviewed :) |
I've made the requested changes, thanks for the suggestions 👍 |
@Yhg1s can you please review again? :) |
I've merged it with the latest Does anyone want to take a look once again, please? 😉 |
snprintf
instead of sprintf
PyOS_snprintf
instead of sprintf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This now has merge conflicts
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sprintf is indeed insecure generally: https://rules.sonarsource.com/c/RSPEC-6069 But, for our cases - I was not able to find a single insecure place, so I don't mark this PR as :security:
In the past, I saw people introducing bugs and security vulnerabilities by attempting to make linters happy about getting rid of "dangerous functions".
Python provides advances functions to format strings in a safe way: PyBytes_FromFormat()
and PyUnicode_FromFormat()
. Moreover, there is also _PyBytesWriter and _PyUnicodeWriter internal API which can be used to "create" a new string in a safe way (without having to handle memory directly).
If a string is longer than expected, PyOS_snprintf()
truncates the string, but your change ignores PyOS_snprintf()
result and so the string is ignored silently. I am not convinced that these changes are worth it:
- It doesn't prevent to truncate strings.
- It's designed to prevent buffer overflow, but it doesn't show examples of possible buffer overfow.
- From my point of view, I don't see how it makes the code easier to maintain or easier to read.
For example, the PR changes FindAddress() to use PyOS_snprintf()
, but it keeps alloca()
which is IMO way more problematic. Using PyBytes_FromFormat()
would be safer here: the function takes care of memory management and allocates memory on the heap, there is no risk of stack overflow.
If you want me to review this PR, I would prefer smaller PRs with a more precise scope and goal.
The worst example that I recall:
Commit message of the fix:
Well, at that time, PHP had no automated test suite, and running tests showed the regression. But well, it's surprising how using "safer" function can introduce a major security vulnerability. The bug allowed to bypass any kind of login page (implemented with |
I wanted to close this PR anyway, I think that we should do it on a per-usage approach. Easier to review, easier to merge. |
Several points of interest:
sprintf
is indeed insecure generally: https://rules.sonarsource.com/c/RSPEC-6069 But, for our cases - I was not able to find a single insecure place, so I don't mark this PR as:security:
snprintf
is also listed as not secure here: https://clang.llvm.org/docs/analyzer/checkers.html#security-insecureapi-deprecatedorunsafebufferhandling-csnprintf
is reported to be slightly slower thansprintf