option semanticChecks /--no-checking bool :default DO_SEMANTIC_CHECKS_BY_DEFAULT :link /--no-type-checking
disable ALL semantic checks, including type checks
-# this is just to support security in the online version
+# this is to support security in the online version, and in other similar contexts
# (--no-include-file disables filesystem access in TPTP and SMT2 parsers)
-undocumented-option canIncludeFile /--no-include-file bool :default true
+# the name --no-include-file is legacy: it also now limits any filesystem access
+# (read or write) for example by using --dump-to (or the equivalent set-option) or
+# set-option :regular-output-channel/:diagnostic-output-channel. However, the main
+# driver is still permitted to read the input file given on the command-line if any.
+# creation/use of temp files are still permitted (but the paths aren't given by the
+# user). Also note this is only safe for the version invoked through the main driver,
+# there are ways via the API to get the CVC4 library to open a file for reading or
+# writing and thus leak information from an existing file, or overwrite an existing
+# file with malicious content.
+undocumented-option filesystemAccess /--no-filesystem-access bool :default true
+undocumented-alias --no-include-file = --no-filesystem-access
endmodule
.withChecks(options[options::semanticChecks])
.withStrictMode(options[options::strictParsing])
.withParseOnly(options[options::parseOnly])
- .withIncludeFile(options[options::canIncludeFile]);
+ .withIncludeFile(options[options::filesystemAccess]);
}
ParserBuilder& ParserBuilder::withStrictMode(bool flag) {
throw OptionException(std::string("Bad file name for --dump-to"));
} else if(optarg == "-") {
outStream = &DumpOutC::dump_cout;
+ } else if(!options::filesystemAccess()) {
+ throw OptionException(std::string("Filesystem access not permitted"));
} else {
errno = 0;
outStream = new std::ofstream(optarg.c_str(), std::ofstream::out | std::ofstream::trunc);
outStream = &std::cout;
} else if(optarg == "stderr") {
outStream = &std::cerr;
+ } else if(!options::filesystemAccess()) {
+ throw OptionException(std::string("Filesystem access not permitted"));
} else {
errno = 0;
outStream = new std::ofstream(optarg.c_str(), std::ofstream::out | std::ofstream::trunc);
outStream = &std::cout;
} else if(optarg == "stderr") {
outStream = &std::cerr;
+ } else if(!options::filesystemAccess()) {
+ throw OptionException(std::string("Filesystem access not permitted"));
} else {
errno = 0;
outStream = new std::ofstream(optarg.c_str(), std::ofstream::out | std::ofstream::trunc);
throw OptionException(std::string("Bad file name for --replay-log"));
} else if(optarg == "-") {
return &std::cout;
+ } else if(!options::filesystemAccess()) {
+ throw OptionException(std::string("Filesystem access not permitted"));
} else {
errno = 0;
std::ostream* replayLog = new std::ofstream(optarg.c_str(), std::ofstream::out | std::ofstream::trunc);
projects / cvc5.git / commitdiff