From: Alejandro Colomar <alx.manpages@gmail.com>
To: linux-man@vger.kernel.org
Cc: "James O. D. Hunt" <jamesodhunt@gmail.com>, alx.manpages@gmail.com
Subject: [BUG 212887] [PATCH] getopt.3: Clarify behaviour
Date: Fri, 30 Apr 2021 22:00:13 +0200 [thread overview]
Message-ID: <20210430200012.5032-1-alx.manpages@gmail.com> (raw)
From: "James O. D. Hunt" <jamesodhunt@gmail.com>
Improved the `getopt(3)` man page in the following ways:
1) Defined the existing term "legitimate option character".
2) Added an additional NOTE stressing that arguments are parsed in strict
order and the implications of this when numeric options are utilised.
3) Added a new WARNINGS section that alerts the reader to the fact they
should:
- Validate all option argument.
- Take care if mixing numeric options and arguments accepting numeric
values.
Signed-off-by: James O. D. Hunt <jamesodhunt@gmail.com>
Bugzilla: <https://bugzilla.kernel.org/show_bug.cgi?id=212887>
---
I'm only forwarding the patch to the list to better discuss it.
man3/getopt.3 | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 58 insertions(+), 1 deletion(-)
diff --git a/man3/getopt.3 b/man3/getopt.3
index 921e747f8..ec3a5640f 100644
--- a/man3/getopt.3
+++ b/man3/getopt.3
@@ -125,7 +125,13 @@ Then \fIoptind\fP is the index in \fIargv\fP of the first
\fIargv\fP-element that is not an option.
.PP
.I optstring
-is a string containing the legitimate option characters.
+is a string containing the legitimate option characters. A legitimate
+option character is any visible one byte
+.BR ascii (7)
+character (for which
+.BR isgraph (3)
+would return nonzero) that is not the null byte (\(aq\e0\(aq),
+dash (\(aq-\(aq) or colon (\(aq:\(aq).
If such a
character is followed by a colon, the option requires an argument, so
.BR getopt ()
@@ -402,6 +408,22 @@ routine that rechecks
.B POSIXLY_CORRECT
and checks for GNU extensions in
.IR optstring .)
+
+Command-line arguments are parsed in strict order meaning that an option requiring
+an argument will consume the next argument, regardless of whether that
+argument is the correctly specified option argument or simply the next option
+(in the scenario the user mis-specifies the command-line). For example, if
+.IR optstring
+is specified as "1n:"
+and the user incorrectly specifies the command-line arguments as
+\(aqprog\ -n\ -1\(aq, the
+.IR \-n
+option will be given the
+.BR optarg
+value \(aq\-1\(aq, and the
+.IR \-1
+option will be considered to have not been specified.
+
.SH EXAMPLES
.SS getopt()
The following trivial example program uses
@@ -542,6 +564,41 @@ main(int argc, char **argv)
exit(EXIT_SUCCESS);
}
.EE
+
+.SH WARNINGS
+Since
+.BR getopt ()
+allows users to provide values to the program, every care should be taken to
+validate every option value specified by the user calling the program.
+.BR getopt ()
+itself provides no validation so the programmer should perform boundary value
+checks on
+.ft I
+every
+.ft
+argument to minimise the risk of bad input data being accepted by the program.
+String values should be checked to ensure they are not empty (unless
+permitted), sanitized appropriately and that internal buffers used to
+store the string values returned in \fIoptarg\fP are large enough to hold
+pathologically long values. Numeric values should be verified to ensure they
+are within the expected permissible range of values.
+
+Further, since
+.BR getopt ()
+can handle numeric options (such as \(aq-1\(aq or \(aq-2 foo\(aq), care should be
+taken when writing a program that accepts both a numeric flag option and an option
+accepting a numeric argument. Specifically, the program should sanity check the numeric
+\fIoptarg\fP value carefully to protect against the case where a user
+mis-specifies the command-line which chould result in a numeric option flag
+being specified as the \fIoptarg\fP value for the numeric option by mistake.
+For example, if
+.IR optstring
+is specified as "1n:" and the \(aqn\(aq option accepts a numeric value, if the
+command-line is specified accidentally as \(aqprog\ -n\ -1\(aq, care needs to
+be taken to ensure the program does not try to convert the \(aq-1\(aq passed
+to the \(aqn\(aq option into an unsigned numeric value since that would result
+in it being set to the largest possible integer value for the type used to
+encode it.
.SH SEE ALSO
.BR getopt (1),
.BR getsubopt (3)
--
2.31.0
next reply other threads:[~2021-04-30 20:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-30 20:00 Alejandro Colomar [this message]
2021-04-30 20:37 ` [BUG 212887] [PATCH] getopt.3: Clarify behaviour Alejandro Colomar (man-pages)
2021-05-01 19:41 ` [BUG 212887] [PATCH v2] " Alejandro Colomar
2021-05-01 20:53 ` Alejandro Colomar (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210430200012.5032-1-alx.manpages@gmail.com \
--to=alx.manpages@gmail.com \
--cc=jamesodhunt@gmail.com \
--cc=linux-man@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.