Hi Todd, Todd C. Miller wrote on Sun, Jan 13, 2019 at 08:06:22AM -0700: > On Sun, 13 Jan 2019 05:20:47 +0100, Ingo Schwarze wrote: >> So adding a subsection to the setlocale(3) manual, containing lists >> of functions that are likely to break when you call setlocale(3) >> with bad arguments on non-OpenBSD systems, might make sense. >> Even if we can't guarantee completeness of these lists, they will >> give programmers a better idea about the approximate scopes and sizes >> of the traps. >> >> Once we have that, very short pointers in individual pages become >> sufficient: one short sentence including .Xr setlocale 3 below >> CAVEATS. Less bloat everywhere, better overview in the one critical >> place. >> >> Does that make sense?
> Sure, that would be similar to how we list signal safe functions > in sigaction(2). Here is a first draft. Maybe it is already good enough for commit; it can always be added to when additional dangers are discovered. OK? I'd like to keep the cleanup in the individual pages separate from the commit to setlocale(3), or i fear the diff might get unwieldy. Yours, Ingo Index: setlocale.3 =================================================================== RCS file: /cvs/src/lib/libc/locale/setlocale.3,v retrieving revision 1.22 diff -u -r1.22 setlocale.3 --- setlocale.3 4 Apr 2018 14:57:51 -0000 1.22 +++ setlocale.3 13 Jan 2019 18:02:11 -0000 @@ -78,7 +78,8 @@ C library. A category of .Dv LC_ALL -sets the entire locale generically. +sets the entire locale generically, which is strongly discouraged for +security reasons in portable programs. .Pp The syntax and semantics of the .Fa locale @@ -126,6 +127,29 @@ The only function in the library that sets the locale is .Fn setlocale ; the locale is never changed as a side effect of some other routine. +.Pp +The +.Dv LC_CTYPE +category modifies the behaviour of at least the following functions: +.Xr iswctype 3 , +.Xr mblen 3 , +.Xr mbrlen 3 , +.Xr mbrtowc 3 , +.Xr mbsrtowcs 3 , +.Xr mbstowcs 3 , +.Xr mbtowc 3 , +.Xr towctrans 3 , +.Xr towlower 3 , +.Xr towupper 3 , +.Xr wcrtomb 3 , +.Xr wcscasecmp 3 , +.Xr wcsrtombs 3 , +.Xr wcstombs 3 , +.Xr wctomb 3 , +.Xr wctrans 3 , +.Xr wctype 3 , +and the functions documented in +.Xr iswalnum 3 . .Sh RETURN VALUES In case of success, .Fn setlocale @@ -205,3 +229,99 @@ .Fn setlocale function first appeared in .Bx 4.4 . +.Sh CAVEATS +On systems other than +.Ox , +calling +.Fn setlocale +or +.Xr uselocale 3 +with a +.Fa category +other than +.Dv LC_CTYPE +can cause erratic behaviour of many library functions. +For security reasons, make sure that portable programs never do that +but only use +.Dv LC_CTYPE . +.Pp +For example, the following functions may be affected. +The list is probably incomplete. +For example, additional library functions may be impacted +if they directly or indirectly call affected functions, +or if they attempt to imitate aspects of their behaviour. +Functions that are not standardized may be affected, too. +.Bl -tag -width Ds +.It Dv LC_COLLATE +.Xr glob 3 , +.Xr strcoll 3 , +.Xr strxfrm 3 , +.Xr wcscoll 3 , +.Xr wcsxfrm 3 , +and the functions documented in +.Xr regexec 3 +.It Dv LC_MESSAGES +.Xr catgets 3 , +.Xr catopen 3 , +.Xr nl_langinfo 3 , +.Xr perror 3 , +.Xr psignal 3 , +.Xr strerror 3 , +.Xr strsignal 3 , +and the functions documented in +.Xr err 3 +.It Dv LC_MONETARY +.Xr localeconv 3 , +.Xr nl_langinfo 3 , +.Fn strfmon +.It Dv LC_NUMERIC +.Xr atof 3 , +.Xr localeconv 3 , +.Xr nl_langinfo 3 , +.Fn strfmon , +and the functions documented in +.Xr printf 3 , +.Xr scanf 3 , +.Xr strtod 3 , +.Xr wcstod 3 , +.Xr wprintf 3 , +.Xr wscanf 3 . +This category is particularly dangerous because it can cause bugs +in the parsing and formatting of numbers, for example, but not +limited to, failures to recognize or properly write decimal points. +.It Dv LC_TIME +.Fn getdate , +.Xr nl_langinfo 3 , +.Xr strftime 3 , +.Xr strptime 3 . +Similarly, this is prone to causing bugs in the parsing and formatting +of date strings. +.It Dv LC_CTYPE +On systems other than +.Ox , +this category may affect the behaviour of additional functions, +for example: +.Xr btowc 3 , +.Xr isalnum 3 , +.Xr isalpha 3 , +.Xr isblank 3 , +.Xr iscntrl 3 , +.Xr isdigit 3 , +.Xr isgraph 3 , +.Xr islower 3 , +.Xr isprint 3 , +.Xr ispunct 3 , +.Xr isspace 3 , +.Xr isupper 3 , +.Xr isxdigit 3 , +.Xr mbsinit 3 , +.Xr strcasecmp 3 , +.Xr strcoll 3 , +.Xr strxfrm 3 , +.Xr tolower 3 , +.Xr toupper 3 , +.Xr vis 3 , +.Xr wcscoll 3 , +.Xr wcsxfrm 3 , +.Xr wctob 3 +.El
