Comments (8)
Removing this feature is likely to just push it into the application code, for the applications that already use it. And it is a non-issue for most applications. Leaving it in, makes it easy for applications to expose this security vulnerability to the end-user. But how much of an issue is this? I think this issue should be a low priority.
from itk.
This issue only applies to m_SeriesFormat
, right? As far as I can see, that's the only case where the user is allowed to specify the formatting by a printf
-like string.
The least we could do is add a warning/note to m_SeriesFormat
and its setter.
In the future, we could maybe replace it with a C++20 std::format based implementation.
from itk.
Removing this feature is likely to just push it into the application code, for the applications that already use it.
Depends, in user's application code, it might be a compile-time constant.
This issue only applies to m_SeriesFormat, right? As far as I can see, that's the only case where the user is allowed to specify the formatting by a printf-like string.
Yes, only one I see too. And the only warnings here too: https://open.cdash.org/viewBuildError.php?type=1&buildid=9579695
In the future, we could maybe replace it with a C++20 std::format based implementation.
How would that help?
from itk.
In the future, we could maybe replace it with a C++20 std::format based implementation.
How would that help?
Correction: I should say std::vformat
, not std::format
! std::vformat
checks that the passed parameters match with the format string. It prevents hackers from accessing arbitrary memory through the format string.
Looking at
snprintf(fileName, IOCommon::ITK_MAXPATHLEN + 1, m_SeriesFormat.c_str(), fileNumber);
Could then (when using C++20) be replaced with something like:
std::string fileName = std::vformat(m_SeriesFormatString, fileNumber);
from itk.
Ah that looks promising. I guess it could even be done today, wrapped in #if __cplusplus > xyz
and falling back to snprintf
in the #else
.
from itk.
Ah that looks promising. I guess it could even be done today, wrapped in
#if __cplusplus > xyz
and falling back tosnprintf
in the#else
.
Well, ideally yes. But the format of std::format
/std::vformat
is different from the old printf/snprintf "%d"
format. So it would be an API change 🤷 .
from itk.
2 cents: For SimpleITK we did not expose these methods and pushed the generation or globing to scripting language. Other languages seem more expressive, and less error prone for these types of operations.
from itk.
I guess that will be easier from C++ too, when C++20 is available.
from itk.
Related Issues (20)
- TubeSpatialObject bounding box includes rounded ends even after they are turned off HOT 5
- Dicom series loaded with incorrect origin and spacing (linked from SimpleITK) HOT 8
- When dicom files converted to nii.gz files, it created a bug of repeated images HOT 2
- Unable to debug hxx files and h files HOT 10
- Wrap SpatialObjectToImageStatisticsCalculator for Python
- itkWarningMacro output streams to Jupyter server console (not the notebook) HOT 4
- About itk 5.4.0 HOT 1
- NumPy 2.0 support HOT 2
- itkParallelSparseFieldLevelSetImageFilterTest read/write race with GetPixel() / SetPixel() HOT 3
- itkNarrowBandImageFilterBaseTest read/write race with GetPixel() / SetPixel() HOT 1
- 3 SLIC tests: read/write race with GetPixel() / SetPixel() HOT 1
- libtbb missing from some ITK 5.4.0 wheels HOT 2
- ITK 5.4.0 GetArrayFromImage returns None HOT 2
- Cannot use RTK in 5.4rc>1 HOT 3
- Rename `ITK` repository default branch from `master` to `main` HOT 2
- Writing DICOM Series with Float Data - Rescale issue HOT 2
- Build failed on Ubuntu 22.04 error: ‘SWIG_Py_DECREF’ was not declared in this scope; did you mean ‘Py_DECREF’? HOT 5
- Transition remote modules configuration from `setup.py` to the modern `pyproject.toml` HOT 4
- HELLO HOT 1
- Raise `cmake_minimum_required` in remote modules
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from itk.