Content deleted Content added
name="bugtrag_perl |
validated bot generated title |
||
Line 18:
== Compilers Prevention ==
Many compilers can statically check format strings and produce warnings for dangerous or suspect formats. In [[GNU Compiler Collection|the GNU Compiler Collection]], the relevant compiler flags are, <code>-Wall</code>,<code>-Wformat</code>, <code>-Wno-format-extra-args</code>, <code>-Wformat-security</code>, <code>-Wformat-nonliteral</code>, and <code>-Wformat=2</code>.<ref>[https://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Warning-Options.html#Warning-Options Warning Options - Using the GNU Compiler Collection (GCC)
Most of these are only useful for detecting bad format strings that are known at compile-time. If the format string may come from the user or from a source external to the application, the application must validate the format string before using it. Care must also be taken if the application generates or selects format strings on the fly. If the GNU C library is used, the <code>-D_FORTIFY_SOURCE=2</code> parameter can be used to detect certain types of attacks occurring at run-time. The <code>-Wformat-nonliteral</code> check is more stringent.
| |||