In response to a public outcry the strings program now defaults to using the

--all option which displays text from anywhere in the input file(s).  The
default used to be --data, which only displays text from loadable data sections,
but this requires the use of the BFD library.  Since the BFD library almost
certainly still contains buffer overrun and/or memory corruption bugs, and
since the strings program is often used to examine malicious code, it was
decided that the --data option option represents a possible security risk.

	* strings.c: Add new command line option --data to only scan the
	initialized, loadable data secions of binaries.  Choose the
	default behaviour of --all or --data based upon a configure
	option.
	* doc/binutils.texi (strings): Update documentation.  Include
	description  of why the --data option might be unsafe.
	* configure.ac: Add new option --disable-default-strings-all which
	restores the old behaviour of strings using --data by default.  If
	the option is not used make strings use --all by default.
	* NEWS: Mention the new behaviour of strings.
	* configure: Regenerate.
	* config.in: Regenerate.

1 files changed, 26 insertions, 5 deletions

diff --git a/binutils/strings.c b/binutils/strings.c
index f92132b..2cf046f 100644
--- a/binutils/strings.c
+++ b/binutils/strings.c
@@ -21,7 +21,10 @@
    Options:
    --all
    -a
-   -		Do not scan only the initialized data section of object files.
+   -		Scan each file in its entirety.
+
+   --data
+   -d		Scan only the initialized data section(s) of object files.
 
    --print-file-name
    -f		Print the name of the file before each string.
@@ -114,6 +117,7 @@ static int encoding_bytes;
 static struct option long_options[] =
 {
   {"all", no_argument, NULL, 'a'},
+  {"data", no_argument, NULL, 'd'},
   {"print-file-name", no_argument, NULL, 'f'},
   {"bytes", required_argument, NULL, 'n'},
   {"radix", required_argument, NULL, 't'},
@@ -136,7 +140,7 @@ typedef struct
 
 static void strings_a_section (bfd *, asection *, void *);
 static bfd_boolean strings_object_file (const char *);
-static bfd_boolean strings_file (char *file);
+static bfd_boolean strings_file (char *);
 static void print_strings (const char *, FILE *, file_ptr, int, int, char *);
 static void usage (FILE *, int);
 static long get_char (FILE *, file_ptr *, int *, char **);
@@ -167,11 +171,14 @@ main (int argc, char **argv)
   include_all_whitespace = FALSE;
   print_addresses = FALSE;
   print_filenames = FALSE;
-  datasection_only = TRUE;
+  if (DEFAULT_STRINGS_ALL)
+    datasection_only = FALSE;
+  else
+    datasection_only = TRUE;
   target = NULL;
   encoding = 's';
 
-  while ((optc = getopt_long (argc, argv, "afhHn:wot:e:T:Vv0123456789",
+  while ((optc = getopt_long (argc, argv, "adfhHn:wot:e:T:Vv0123456789",
 			      long_options, (int *) 0)) != EOF)
     {
       switch (optc)
@@ -180,6 +187,10 @@ main (int argc, char **argv)
 	  datasection_only = FALSE;
 	  break;
 
+	case 'd':
+	  datasection_only = TRUE;
+	  break;
+
 	case 'f':
 	  print_filenames = TRUE;
 	  break;
@@ -648,8 +659,18 @@ usage (FILE *stream, int status)
 {
   fprintf (stream, _("Usage: %s [option(s)] [file(s)]\n"), program_name);
   fprintf (stream, _(" Display printable strings in [file(s)] (stdin by default)\n"));
-  fprintf (stream, _(" The options are:\n\
+  fprintf (stream, _(" The options are:\n"));
+
+  if (DEFAULT_STRINGS_ALL)
+    fprintf (stream, _("\
+  -a - --all                Scan the entire file, not just the data section [default]\n\
+  -d --data                 Only scan the data sections in the file\n"));
+  else
+    fprintf (stream, _("\
   -a - --all                Scan the entire file, not just the data section\n\
+  -d --data                 Only scan the data sections in the file [default]\n"));
+
+  fprintf (stream, _("\
   -f --print-file-name      Print the name of the file before each string\n\
   -n --bytes=[number]       Locate & print any NUL-terminated sequence of at\n\
   -<number>                   least [number] characters (default 4).\n\