Policy: disallow unsafe string manipulation functions #108917
Labels
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: blender/blender#108917
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This issue proposes to disallow use of unsafe string manipulation functions in parts of the code-base maintained by Blender developers.
Motivation
To prevent unsafe string manipulation, potentially resulting in buffer overflow errors.
Recently I noticed unsafe
strcat
use in some areas of Blender and checked all uses ofstrcat
, finding some cases could cause buffer overflows. Since thenstrcat
has been removed fromsource/
(except formakesrna.c
utility, a separate binary).On further testing, some of these buffer overflows were reasonably easy to trigger (a file exception longer than 32 characters would overflow when calling
BLI_path_frame_strip
for e.g.).Calls to
strcpy
are still used, although in most cases switching toBLI_strncpy
isn't a problem.Rationale
Currently we accept use of strcpy/strcat with the understanding that developers are responsible for ensuring this doesn't cause problems. After having looked over use of these functions - I believe they're error prone enough that they should be avoided entirely.
Even in cases where it seems reasonable to use
strcpy
can lead to potential errors:Was later replaced with:
Meaning a change to translations can result in a buffer overflow.
Notes
Currently there is a double-standard for buffer overflow related bugs in Blender.
strcat
for e.g. shows fairly obvious unsafe usage up until recently.On the other hand, in practice I suspect it's rare for users to encounter buffer overflows - making the case for this proposal less compelling.
There is another consideration however, that we can largely rule out a particular category of bug when investigating a problem, it's also one less thing to have to discuss during code review.
Personally, this alone is reason enough to disallow error-prone string manipulation functions.
Examples
Some commits resolving unsafe
strcat/strcpy
use:b68b66d29e
78f5d9d599
1715f1c1f4
574b2db317
1f6b3c20c8
686ec6310c
21ef4276ee
0428043967
Proposal
Besides updating the WIKI code-style pages, it would be good to disallow using these functions as it's one less thing to have to communicate in code-review.
NOTE: for the initial patch (if we choose to use poisoning), we might first do this for
strcat
as it's use has already been removed.Ensure Policy is Followed
Poison API calls
#pragma deprecated
, need to check on MSVC (possibly__declspec(deprecated)
).BLI_sys_types.h
/BLI_utildefines.h
/BLI_string.h
). Suggest to add a new header to do this which could be included as an argument to the compiler.WITH_COMPILER_POISION_UNSAFE
, which would be enabled for developer builds, to avoid minor differences in compilers breaking the build-bot, while preventing developers using these API's.Enforce manually (code-review etc).
We could just try to follow this as a general rule without having the compiler disallow it. We might want to do this if compilers don't handle poisoning the same way, making it too easy to unintentionally break the build for other developers.
Exceptions
Currently the only exception I'm aware of where we would still want to allow
strcpy
is the RNA API (which assumes a length-check before string access withstrcpy
). In this case an exception would be allowed.Alternative API's
BLI_strncpy
,BLI_strncat
ormemcpy
(for low level buffer operations when sizes have been calculated).Which directories to include?
Initially only
source/
although some directories inintern/
could eventually be included too.Further Changes
We might want to exclude other functions:
sprintf
vsprintf
,strncat
,strncpy
... if there is a consensus among developers that can be made part of this proposal too.Policy: poison unsafe string manipulation funcitons (strcat, strcpy)to Policy: disallow unsafe string manipulation functions (strcat, strcpy)Policy: disallow unsafe string manipulation functions (strcat, strcpy)to Policy: disallow unsafe string manipulation functionsYes please!
Just make sure the poisoning works with all compilers :)
The recent Apple Clang warns (unconditionally!) about use of the insecure string functions. So longer term we should not have exceptions from the rule. It shouldn't be bare
strcpy
anyway, and maybe something likeBLI_strcpy_unsafe
.The
WITH_COMPILER_POISION_UNSAFE
I am not really sure. I wouldn't use it on buildbot, to let people see possible issues early on on platforms they have no direct access to.I would also just forbid unconditionally any usage of these unsafe string manipulation functions. They are indeed dangerous, and impossible to ensure that they will remain properly used, even when initial commit is not buggy.
From investigating this - unfortunately cross platform poisoning/deprecating is impractical unless a header is added to every source file (after system headers).
Added text to avoid unsafe string functions to: https://wiki.blender.org/wiki/Style_Guide/Best_Practice_C_Cpp
Closing.