format-arg-attribute-3.m   [plain text]

/* APPLE LOCAL file radar 5195402 */
/* Test for correct implementation of format_arg attribute on CFStringRef type of
   format strings. */
/* { dg-options "-Wformat -Wformat-security -Wformat-nonliteral -mmacosx-version-min=10.5" } */
/* { dg-do compile { target powerpc*-*-darwin* i?86*-*-darwin* } } */

#include <Cocoa/Cocoa.h>

APPKIT_EXTERN NSInteger My_NSRunAlertPanel(NSString *title, CFStringRef msgFormat, NSString *defaultButton, NSString *alternateButton, NSString *otherButton, ...)
        __attribute__ ((format (__CFString__, 2, 6)));

extern CFStringRef _My_LocalizedStringForKey( CFStringRef key,  NSString *value, NSString *tableName )
                                            __attribute__ ((format_arg (1)));     

#define My_NSLocalizedString(key, comment) \
	    _My_LocalizedStringForKey(key,@"",nil)


static void Buggy_WarnAboutResponse( CFStringRef serverResponse )
{
    /* This next line is a security problem: it passes an untrusted string, received from the network, 
       as the format string of NSRunAlertPanel. At least six such misuses of NSRunAlertPanel were 
       identified and exploited in both Apple and third-party apps, during the Month Of Apple Bugs.
       Fortunately, the format attribute added to My_NSRunAlertPanel causes the compiler to emit 
       a warning for this unsafe call. */
    My_NSRunAlertPanel(@"Bad Server Response:", serverResponse, @"OK",nil,nil);     /* { dg-warning "format not a string literal and no format arguments" } */
}

static void SimpleAlert()
{
    /* My_NSRunAlertPanel this time uses My_NSLocalizedString callfor its formatting argument.
       because of format_arg (1) attribute on My_NSLocalizedString, no warning to be issued.
       Even when -Wformat-nonliteral is specified. */
    My_NSRunAlertPanel(@"Title of oops panel", 
                       My_NSLocalizedString(CFSTR("Something went wrong. Sorry."), @"Message of oops panel"),
                       @"OK",nil,nil);     
}