From e125c3b6573972ccfc06d228a7d5abd5306f73be Mon Sep 17 00:00:00 2001 From: Vadim Zeitlin Date: Sun, 12 Feb 2017 00:47:35 +0100 Subject: [PATCH] Allow disabling unsafe implicit conversions in wxString While we have to keep these conversions enabled by default, they are very dangerous as they can result in silent data loss on any system not using a locale with UTF-8 encoding, i.e. always under MSW. Allow mitigating this by defining wxNO_UNSAFE_WXSTRING_CONV when compiling the application code using the library, which makes these conversions invisible to the user code, and so can be used without recompiling the library. Also add wxUSE_UNSAFE_WXSTRING_CONV which can be set to 0 when compiling the library to disable these conversions globally for all applications using it. Closes #11830. --- configure | 36 ++++++++++++++++++++++++++++++ configure.in | 5 +++++ docs/changes.txt | 1 + docs/doxygen/mainpages/const_cpp.h | 17 ++++++++++++++ include/wx/android/setup.h | 12 ++++++++++ include/wx/chkconf.h | 8 +++++++ include/wx/gtk/setup0.h | 12 ++++++++++ include/wx/motif/setup0.h | 12 ++++++++++ include/wx/msw/setup0.h | 12 ++++++++++ include/wx/osx/setup0.h | 12 ++++++++++ include/wx/setup_inc.h | 12 ++++++++++ include/wx/string.h | 7 +++++- include/wx/univ/setup0.h | 12 ++++++++++ setup.h.in | 2 ++ 14 files changed, 159 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 2f72f2abb1..5994e3d50f 100755 --- a/configure +++ b/configure @@ -1119,6 +1119,7 @@ enable_std_containers_compat enable_std_iostreams enable_std_string enable_std_string_conv_in_wxstring +enable_unsafe_conv_in_wxstring enable_unicode enable_utf8 enable_utf8only @@ -2057,6 +2058,7 @@ Optional Features: --enable-std_iostreams use standard C++ stream classes --enable-std_string use standard C++ string classes --enable-std_string_conv_in_wxstring provide implicit conversion to std::string in wxString + --disable-unsafe_conv_in_wxstring disable unsafe implicit conversions in wxString --disable-unicode compile without Unicode support --enable-utf8 use UTF-8 representation for strings (Unix only) --enable-utf8only only support UTF-8 locales in UTF-8 build (Unix only) @@ -5469,6 +5471,35 @@ fi eval "$wx_cv_use_std_string_conv_in_wxstring" + enablestring=disable + defaultval= + if test -z "$defaultval"; then + if test x"$enablestring" = xdisable; then + defaultval=yes + else + defaultval=no + fi + fi + + # Check whether --enable-unsafe_conv_in_wxstring was given. +if test "${enable_unsafe_conv_in_wxstring+set}" = set; then : + enableval=$enable_unsafe_conv_in_wxstring; + if test "$enableval" = yes; then + wx_cv_use_unsafe_conv_in_wxstring='wxUSE_UNSAFE_WXSTRING_CONV=yes' + else + wx_cv_use_unsafe_conv_in_wxstring='wxUSE_UNSAFE_WXSTRING_CONV=no' + fi + +else + + wx_cv_use_unsafe_conv_in_wxstring='wxUSE_UNSAFE_WXSTRING_CONV=${'DEFAULT_wxUSE_UNSAFE_WXSTRING_CONV":-$defaultval}" + +fi + + + eval "$wx_cv_use_unsafe_conv_in_wxstring" + + enablestring=disable defaultval= if test -z "$defaultval"; then @@ -32527,6 +32558,11 @@ if test "$wxUSE_STD_STRING_CONV_IN_WXSTRING" = "yes"; then fi +if test "$wxUSE_UNSAFE_WXSTRING_CONV" = "yes"; then + $as_echo "#define wxUSE_UNSAFE_WXSTRING_CONV 1" >>confdefs.h + +fi + if test "$wxUSE_STDPATHS" = "yes"; then $as_echo "#define wxUSE_STDPATHS 1" >>confdefs.h diff --git a/configure.in b/configure.in index 99e15b4784..75ba90ec7f 100644 --- a/configure.in +++ b/configure.in @@ -642,6 +642,7 @@ WX_ARG_ENABLE(std_containers_compat, [ --enable-std_containers_compat use s WX_ARG_ENABLE(std_iostreams, [ --enable-std_iostreams use standard C++ stream classes], wxUSE_STD_IOSTREAM) WX_ARG_ENABLE(std_string, [ --enable-std_string use standard C++ string classes], wxUSE_STD_STRING) WX_ARG_ENABLE(std_string_conv_in_wxstring, [ --enable-std_string_conv_in_wxstring provide implicit conversion to std::string in wxString], wxUSE_STD_STRING_CONV_IN_WXSTRING) +WX_ARG_DISABLE(unsafe_conv_in_wxstring, [ --disable-unsafe_conv_in_wxstring disable unsafe implicit conversions in wxString], wxUSE_UNSAFE_WXSTRING_CONV) WX_ARG_DISABLE(unicode, [ --disable-unicode compile without Unicode support], wxUSE_UNICODE) WX_ARG_ENABLE_PARAM(utf8, [ --enable-utf8 use UTF-8 representation for strings (Unix only)], wxUSE_UNICODE_UTF8) WX_ARG_ENABLE(utf8only, [ --enable-utf8only only support UTF-8 locales in UTF-8 build (Unix only)], wxUSE_UNICODE_UTF8_LOCALE) @@ -5665,6 +5666,10 @@ if test "$wxUSE_STD_STRING_CONV_IN_WXSTRING" = "yes"; then AC_DEFINE(wxUSE_STD_STRING_CONV_IN_WXSTRING) fi +if test "$wxUSE_UNSAFE_WXSTRING_CONV" = "yes"; then + AC_DEFINE(wxUSE_UNSAFE_WXSTRING_CONV) +fi + if test "$wxUSE_STDPATHS" = "yes"; then AC_DEFINE(wxUSE_STDPATHS) fi diff --git a/docs/changes.txt b/docs/changes.txt index a8630936dd..124e2befb8 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -69,6 +69,7 @@ INCOMPATIBLE CHANGES SINCE 3.1.0: All: - Add wxSecretStore for storing passwords using the OS-provided facilities. +- Add support for compiling application code with wxNO_UNSAFE_WXSTRING_CONV. - Add support for the micro version (third component) to OS and toolkit version functions. See wxGetOsVersion(), wxPlatformInfo, and wxAppTraits. - wxLogInfo() now logs messages if the log level is high enough, even without diff --git a/docs/doxygen/mainpages/const_cpp.h b/docs/doxygen/mainpages/const_cpp.h index 802a8c7d99..1756d18a82 100644 --- a/docs/doxygen/mainpages/const_cpp.h +++ b/docs/doxygen/mainpages/const_cpp.h @@ -286,6 +286,14 @@ more details. wxMSW-specific setting which can be set to 1 to make wxWindow::GetCharWidth() and wxWindow::GetCharHeight() more compatible with old wxWidgets versions. Changing it is not recommended.} +@itemdef{wxUSE_UNSAFE_WXSTRING_CONV, + this option determines if unsafe implicit conversions of wxString to + @c char* or @c std::string (depending on whether @c wxUSE_STL is 0 or + 1) are defined. It is set to 1 by default for compatibility reasons, + however it is recommended to set it to 0 for the new projects. See + also @c wxNO_UNSAFE_WXSTRING_CONV below for an alternative way of + disabling these unsafe conversions not requiring rebuilding the + library.} @endDefList @section page_cppconst_miscellaneous Miscellaneous @@ -326,6 +334,15 @@ more details. don't include compiler flags needed for multithreaded code generation. This implies that wxUSE_THREADS is 0 and also that other (non-wx-based) threading packages cannot be used neither.} +@itemdef{wxNO_UNSAFE_WXSTRING_CONV, + this symbol is not defined by wxWidgets itself, but can be defined by + the applications using the library to disable unsafe implicit + conversions in wxString class. This is especially useful when using + standard build of the library, e.g. installed by the system package + manager under Unix, which is compiled with @c wxUSE_UNSAFE_WXSTRING_CONV + set to 1 for compatibility reasons as @c -DwxNO_UNSAFE_WXSTRING_CONV + can be used only compiling the application code, without rebuilding the + library. Support for this option appeared in wxWidgets 3.1.1.} @itemdef{WXMAKINGDLL_XXX, used internally and defined when building the library @c XXX as a DLL; when a monolithic wxWidgets build is used only a diff --git a/include/wx/android/setup.h b/include/wx/android/setup.h index 2291c62a52..3249bd429f 100644 --- a/include/wx/android/setup.h +++ b/include/wx/android/setup.h @@ -54,6 +54,18 @@ // Recommended setting: 0 #define wxDIALOG_UNIT_COMPATIBILITY 0 +// Provide unsafe implicit conversions in wxString to "const char*" or +// "std::string" (depending on wxUSE_STD_STRING_CONV_IN_WXSTRING value). +// +// Default is 1 but only for compatibility reasons, it is recommended to set +// this to 0 because converting wxString to a narrow (non-Unicode) string may +// fail unless a locale using UTF-8 encoding is used, which is never the case +// under MSW, for example, hence such conversions can result in silent data +// loss. +// +// Recommended setting: 0 +#define wxUSE_UNSAFE_WXSTRING_CONV 1 + // ---------------------------------------------------------------------------- // debugging settings // ---------------------------------------------------------------------------- diff --git a/include/wx/chkconf.h b/include/wx/chkconf.h index 2722a6b6a8..3fee662977 100644 --- a/include/wx/chkconf.h +++ b/include/wx/chkconf.h @@ -373,6 +373,14 @@ # endif #endif /* !defined(wxUSE_UNICODE) */ +#ifndef wxUSE_UNSAFE_WXSTRING_CONV +# ifdef wxABORT_ON_CONFIG_ERROR +# error "wxUSE_UNSAFE_WXSTRING_CONV must be defined, please read comment near the top of this file." +# else +# define wxUSE_UNSAFE_WXSTRING_CONV 0 +# endif +#endif /* !defined(wxUSE_UNSAFE_WXSTRING_CONV) */ + #ifndef wxUSE_URL # ifdef wxABORT_ON_CONFIG_ERROR # error "wxUSE_URL must be defined, please read comment near the top of this file." diff --git a/include/wx/gtk/setup0.h b/include/wx/gtk/setup0.h index 27ef6957b5..b99ba3ce3e 100644 --- a/include/wx/gtk/setup0.h +++ b/include/wx/gtk/setup0.h @@ -55,6 +55,18 @@ // Recommended setting: 0 #define wxDIALOG_UNIT_COMPATIBILITY 0 +// Provide unsafe implicit conversions in wxString to "const char*" or +// "std::string" (depending on wxUSE_STD_STRING_CONV_IN_WXSTRING value). +// +// Default is 1 but only for compatibility reasons, it is recommended to set +// this to 0 because converting wxString to a narrow (non-Unicode) string may +// fail unless a locale using UTF-8 encoding is used, which is never the case +// under MSW, for example, hence such conversions can result in silent data +// loss. +// +// Recommended setting: 0 +#define wxUSE_UNSAFE_WXSTRING_CONV 1 + // ---------------------------------------------------------------------------- // debugging settings // ---------------------------------------------------------------------------- diff --git a/include/wx/motif/setup0.h b/include/wx/motif/setup0.h index cc609cf02e..9c9fb35f33 100644 --- a/include/wx/motif/setup0.h +++ b/include/wx/motif/setup0.h @@ -55,6 +55,18 @@ // Recommended setting: 0 #define wxDIALOG_UNIT_COMPATIBILITY 0 +// Provide unsafe implicit conversions in wxString to "const char*" or +// "std::string" (depending on wxUSE_STD_STRING_CONV_IN_WXSTRING value). +// +// Default is 1 but only for compatibility reasons, it is recommended to set +// this to 0 because converting wxString to a narrow (non-Unicode) string may +// fail unless a locale using UTF-8 encoding is used, which is never the case +// under MSW, for example, hence such conversions can result in silent data +// loss. +// +// Recommended setting: 0 +#define wxUSE_UNSAFE_WXSTRING_CONV 1 + // ---------------------------------------------------------------------------- // debugging settings // ---------------------------------------------------------------------------- diff --git a/include/wx/msw/setup0.h b/include/wx/msw/setup0.h index 6b4d8bc7dc..ca1579941e 100644 --- a/include/wx/msw/setup0.h +++ b/include/wx/msw/setup0.h @@ -55,6 +55,18 @@ // Recommended setting: 0 #define wxDIALOG_UNIT_COMPATIBILITY 0 +// Provide unsafe implicit conversions in wxString to "const char*" or +// "std::string" (depending on wxUSE_STD_STRING_CONV_IN_WXSTRING value). +// +// Default is 1 but only for compatibility reasons, it is recommended to set +// this to 0 because converting wxString to a narrow (non-Unicode) string may +// fail unless a locale using UTF-8 encoding is used, which is never the case +// under MSW, for example, hence such conversions can result in silent data +// loss. +// +// Recommended setting: 0 +#define wxUSE_UNSAFE_WXSTRING_CONV 1 + // ---------------------------------------------------------------------------- // debugging settings // ---------------------------------------------------------------------------- diff --git a/include/wx/osx/setup0.h b/include/wx/osx/setup0.h index a7112dfa97..4a1f5d1604 100644 --- a/include/wx/osx/setup0.h +++ b/include/wx/osx/setup0.h @@ -56,6 +56,18 @@ // Recommended setting: 0 #define wxDIALOG_UNIT_COMPATIBILITY 0 +// Provide unsafe implicit conversions in wxString to "const char*" or +// "std::string" (depending on wxUSE_STD_STRING_CONV_IN_WXSTRING value). +// +// Default is 1 but only for compatibility reasons, it is recommended to set +// this to 0 because converting wxString to a narrow (non-Unicode) string may +// fail unless a locale using UTF-8 encoding is used, which is never the case +// under MSW, for example, hence such conversions can result in silent data +// loss. +// +// Recommended setting: 0 +#define wxUSE_UNSAFE_WXSTRING_CONV 1 + // ---------------------------------------------------------------------------- // debugging settings // ---------------------------------------------------------------------------- diff --git a/include/wx/setup_inc.h b/include/wx/setup_inc.h index 09063c0c7a..b8d5e21b32 100644 --- a/include/wx/setup_inc.h +++ b/include/wx/setup_inc.h @@ -51,6 +51,18 @@ // Recommended setting: 0 #define wxDIALOG_UNIT_COMPATIBILITY 0 +// Provide unsafe implicit conversions in wxString to "const char*" or +// "std::string" (depending on wxUSE_STD_STRING_CONV_IN_WXSTRING value). +// +// Default is 1 but only for compatibility reasons, it is recommended to set +// this to 0 because converting wxString to a narrow (non-Unicode) string may +// fail unless a locale using UTF-8 encoding is used, which is never the case +// under MSW, for example, hence such conversions can result in silent data +// loss. +// +// Recommended setting: 0 +#define wxUSE_UNSAFE_WXSTRING_CONV 1 + // ---------------------------------------------------------------------------- // debugging settings // ---------------------------------------------------------------------------- diff --git a/include/wx/string.h b/include/wx/string.h index 7b39add2b1..3441a7f7d6 100644 --- a/include/wx/string.h +++ b/include/wx/string.h @@ -1263,7 +1263,9 @@ public: // they conflict with the implicit conversions to "const char/wchar_t *" // which we use for backwards compatibility but do provide them if // explicitly requested. +#if wxUSE_UNSAFE_WXSTRING_CONV && !defined(wxNO_UNSAFE_WXSTRING_CONV) operator wxStringToStdStringRetType() const { return ToStdString(); } +#endif // wxUSE_UNSAFE_WXSTRING_CONV operator wxStringToStdWstringRetType() const { return ToStdWstring(); } #endif // wxUSE_STD_STRING_CONV_IN_WXSTRING @@ -1517,13 +1519,16 @@ public: // messages for the code which relies on implicit conversion to char* in // STL build #if !wxUSE_STD_STRING_CONV_IN_WXSTRING - operator const char*() const { return c_str(); } operator const wchar_t*() const { return c_str(); } +#if wxUSE_UNSAFE_WXSTRING_CONV && !defined(wxNO_UNSAFE_WXSTRING_CONV) + operator const char*() const { return c_str(); } // implicit conversion to untyped pointer for compatibility with previous // wxWidgets versions: this is the same as conversion to const char * so it // may fail! operator const void*() const { return c_str(); } +#endif // wxUSE_UNSAFE_WXSTRING_CONV && !defined(wxNO_UNSAFE_WXSTRING_CONV) + #endif // !wxUSE_STD_STRING_CONV_IN_WXSTRING // identical to c_str(), for MFC compatibility diff --git a/include/wx/univ/setup0.h b/include/wx/univ/setup0.h index a235d4927b..3a0f7d86e2 100644 --- a/include/wx/univ/setup0.h +++ b/include/wx/univ/setup0.h @@ -54,6 +54,18 @@ // Recommended setting: 0 #define wxDIALOG_UNIT_COMPATIBILITY 0 +// Provide unsafe implicit conversions in wxString to "const char*" or +// "std::string" (depending on wxUSE_STD_STRING_CONV_IN_WXSTRING value). +// +// Default is 1 but only for compatibility reasons, it is recommended to set +// this to 0 because converting wxString to a narrow (non-Unicode) string may +// fail unless a locale using UTF-8 encoding is used, which is never the case +// under MSW, for example, hence such conversions can result in silent data +// loss. +// +// Recommended setting: 0 +#define wxUSE_UNSAFE_WXSTRING_CONV 1 + // ---------------------------------------------------------------------------- // debugging settings // ---------------------------------------------------------------------------- diff --git a/setup.h.in b/setup.h.in index 966aad994d..2093812921 100644 --- a/setup.h.in +++ b/setup.h.in @@ -151,6 +151,8 @@ #define wxDIALOG_UNIT_COMPATIBILITY 0 +#define wxUSE_UNSAFE_WXSTRING_CONV 0 + #define wxUSE_ON_FATAL_EXCEPTION 0